Forum Discussion
Russell_E_Glaue
Feb 19, 2009Nimbostratus
We actually do exactly what you are doing at our operations, just in a different approach.
First I have the project manager tell me what is the official main URL to the web site. Let's say for this it is:
1) https://sub.mycompany.com
Then I ask, what are the other unoffical URLs desired to be used, which will redirect to the official web site. Let's say for this they are:
1) http://sub.mycompany.com
2) http://www.sub.mycompany.com
3) https://www.sub.mycompany.com
The project manager has indicated the web site will be only SSL.
At this point I have to tell the project manager they have three options for SSL certificates:
1) purchase 2 SSL Certificates for https://sub.mycompany.com and https://www.sub.mycompany.com - two 1-year basic SSL certs from Network Solutions is about $200.
2) purchase 1 wildcard SSL certificate for https://*.mycompany.com which will cover both https://sub.mycompany.com and https://www.sub.mycompany.com, and also *theoretically* even https://www.one.two.three.four.sub.mycompany.com - one 1-year wildcard SSL Cert from Network Solutions is about $500.
3) purchase 1 SSL Certificate for https://sub.mycompany.com , and eliminate the desired URL https://www.sub.mycompany.com as one of the redirects.
Then I write the iRule to say
1) if the traffic comes in on port 80, and matches a redirect URL, redirect to the official URL.
2) if the traffic comes in on port 443, and matches a redirect URL, redirect to the offical URL.
With these two iRules in place, it does not matter which of the three SSL Cert choices they choose to go with.
A note about SSL.
When a user types https://whatever.com/ into a web browser, the first thing the browser does is:
1) make a connection to the domain at port 443
2) initiate an encrypted SSL handshake
As a side note, if the web user types in http://whatever.com:443/ then for the second step it is a normal unencrypted HTTP session.
Using the protocol "https://" causes the browser to communicate via SSL, so the server will never receive any HTTP packets unless it is also communicating via SSL.
And thus, if you do not want an SSL mismatch in your scenerio, you need the SSL cert(s) to protect every domain that is going to be accessed via "https://".
-RG