3

I am using NGINX for 301 redirects on Ubuntu and reverse proxy for my Web Application and aim is to redirect traffic to non-www url such as https://mywebapplication.com.

So with my current config for NGINX Conf File:

mywebapplication.com -> https://mywebapplication.com
www.mywebapplication.com -> https://mywebapplication.com
http://mywebapplication.com -> https://mywebapplication.com
http://www.mywebapplication.com -> https://mywebapplication.com
123.456.789.123 -> https://mywebapplication.com
http://123.456.789.123 -> https://mywebapplication.com

Works fine but when IP with HTTPS is provided in the URL, I get "Your connection is not private."

https://123.456.789.123 -> Your connection is not private

Here's my NGINX Conf.

server {
    listen 123.456.789.123:80;

    location / {
        proxy_pass "http://localhost:4000/";
        proxy_http_version 1.1;
        proxy_set_header Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";
    }
}

server {
    listen 123.456.789.123:80;
    server_name  123.456.789.123 123.456.789.123:4000;
    return       301 https://mywebapplication.com$request_uri;
}

server {
    listen 80 http2;
    listen [::]:80 http2;
    server_name  mywebapplication.com www.mywebapplication.com;
    return       301 https://mywebapplication.com$request_uri;
}

server {
    listen       443 ssl http2;
    server_name  www.mywebapplication.com;
    return       301 https://mywebapplication.com$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name mywebapplication.com;
    ...
    ...
    ...
    ...
}

How can I handle IP with HTTPS to a successful 301 redirection?

https://123.456.789.123 -> https://mywebapplication.com

Thanking you guys!

Dynamic Remo
  • 421
  • 9
  • 20

1 Answers1

2

The issue here is that you would need a TLS certificate for a bare IP address. According to this thread, such certificates are really rare. When you open the certificate in the browser (when it says "Your connection is not secure"), you see that the certificate is only valid for mywebapplication.com and not for 123.456.789.123.

A signed certificate for an IP address does not make much sense. Such a certificate would assure the user that he is connected to 123.456.789.123. However, this is not really telling. Without DNS, the user does not know, who is behind this IP. A user wants to be assured that he is connected to service identified by a domain name, e.g.mywebapplication.com, and doesn't really care if the ip is 123.456.789.123 or 321.654.987.321.

I don't think this is a large issue. You can see for yourself, if large web sites have a certificate for their bare IP: (please note that the servers behind the IPs below might host something else in the future):

None of these sites have certificates for their bare IP. (Some have redirects for HTTP in place)

sauerburger
  • 4,569
  • 4
  • 31
  • 42