Off topic:Presuming its not long dince you ordered. I would expect any decent expensive certificate issuer to allow you to get a new certificate with the additional name of the non wildcard same name without charge they will most likely want the original revoked before refunding. Unless they don't want any more orders from you. Back on topic again: A browser should not even get to the redirect without warning. However it could well cache the redirect and not bother you with warning the next time you went there in tgat browser session. Neil On 29 Oct 2013 17:13, "Felix Ferchland" <fe...@ferchland.org> wrote:
> I can tell you, it worked.**** > > I think the difference is he kind of redirect (url vs header redirect).*** > * > > But I’m not an expert in proxy url rewriting, so I simply have to deal > with that.**** > > I can’t order a new certificate for the domain because it’s an ev cert and > these are quite expensive…**** > > ** ** > > ** ** > > *Von:* David Coulson [mailto:da...@davidcoulson.net] > *Gesendet:* Dienstag, 29. Oktober 2013 17:58 > *An:* Felix Ferchland > *Cc:* Bhaskar Maddala; <haproxy@formilux.org> > *Betreff:* Re: AW: Loadbalancing with ssl on www only**** > > ** ** > > No way it worked with Apache. Ssl verification happens before http can do > anything. > > Sent from my iPad**** > > > On Oct 29, 2013, at 12:39 PM, "Felix Ferchland" <fe...@ferchland.org> > wrote:**** > > So it’s simply impossible to redirect the request?**** > > I was using nginx as reverse proxy before and even apache can do that with > a redirection…**** > > I’m a little surprised that this is simply impossible and i need another > ssl vertificate.**** > > **** > > But thanks for the quick answers!**** > > **** > > **** > > *Von:* Bhaskar Maddala [mailto:madda...@gmail.com <madda...@gmail.com>] > *Gesendet:* Dienstag, 29. Oktober 2013 16:07 > *An:* David Coulson > *Cc:* Felix; haproxy@formilux.org > *Betreff:* Re: Loadbalancing with ssl on www only**** > > **** > > Ahh, thank you**** > > -Bhaskar**** > > **** > > On Tue, Oct 29, 2013 at 10:56 AM, David Coulson <da...@davidcoulson.net> > wrote:**** > > A wildcard cert is helpful for some things, but domain.com will not > validate against a cert issued for *.domain.com**** > > **** > > On 10/29/13, 10:52 AM, Bhaskar Maddala wrote:**** > > If it is any help you can get a certificate for *. domain.com**** > > On Oct 28, 2013 9:37 PM, "Felix" <fe...@ferchland.org> wrote:**** > > Hello, > > I am using haproxy to loadbalance my webapplication but I get into a > problem > with our ssl certificate. > haproxy is also serving the ssl certificate to the clients. this works > quite > well. we only have certificate for www as subdomain, so all traffic hitting > haproxy should be redirected to https://www. > if the visitor comes from non ssl the domain can be rewritten without a > problem, but if the visitor types the domain with ssl but without > subdomain, > the url can't be rewritten before the (in this case invalid) ssl > certificate > was served by haproxy. > is there a way to redirect an ssl request before serving the certificate? > > global > maxconn 4096 > daemon > log 128.0.0.1 local0 > > defaults > log global > mode http > contimeout 5000 > clitimeout 50000 > srvtimeout 50000 > option forwardfor > retries 3 > option redispatch > option http-server-close > > frontend http *:80 > mode http > redirect location https://www.url.com if !{ ssl_fc } > > frontend https > # reqadd X-Forwarded-Proto:\ https > # www Redirect > mode http > acl non-www hdr(host) url.com > redirect prefix https://www.url.com if non-www > > bind *:443 ssl crt /crt/ssl.pem no-sslv3 > default_backend web > option forwardfor > > > > **** > > **** > > **** > >
