Have you had difficulty with redirects for multiple SSL virtual hosts on one server? Maybe you got certificate mismatch errors like I did. It is easy to fix, despite all the forum posts saying it can’t be done. All you need to do is add the certificate paths inside the redirect block so the key exchange can take place prior to the redirect. This is because the SSL protocol is a separate layer which encapsulates the HTTP protocol, and the SSL session takes place before the HTTP session can begin. The only thing you can’t do is redirect an HTTPS request to HTTP, else it would be too easy to perform downgrade attacks.
Any variation works, add or strip the "www" as you prefer
If you are using SSL (it’s actually TLS but we still call it SSL) and have more than one secure site per server, you may have had difficulty switching or redirecting traffic when someone types “www.example.com” and you want to redirect that to “example.com”. Host names are processed alphabetically so you can get a certificate mismatch error for the site with the lower alphabetical name (think a-example.com and example.com - a-example.com’s SSL cert will be presented first and you have the mismatch occur when requesting https://www.example.com). This is frustrating because best practice is to have a canonical URL like <link rel="canonical" href="http://www.example.com" /> in the pages’ <head> and then enforce it with your server’s configuration file(s).
While you are updating your configuration, do take a look at Mozilla’s excellent Security / Server Side TLS page which has great example configuration files, complete with recommended cipersuites. Everything is very well explained and I was able to copy from it and achieve a robust configuration for both Nginx and Apache. Once you make the changes, restart/reload the server and head to Qualys SSL Labs Server Test - this is very helpful also for feedback and fine-tuning your configuration to get an A+, which is a realistic goal.
Don’t bother supporting Windows XP users, use the modern SNI certificate type and if you absolutely must support XP then don’t use an HTTP to HTTPS redirect.
Nginx - add www
server {
listen 443;
server_name EXAMPLE-1.com;
ssl_certificate /PATH/TO/CERT.crt;
ssl_certificate_key /PATH/TO/KEY.key;
return 301 https://www.EXAMPLE-1.com$request_uri;
}
server {
listen 443;
server_name WWW.EXAMPLE-1.com;
ssl_certificate /PATH/TO/CERT.crt;
ssl_certificate_key /PATH/TO/KEY.key;
...
}Apache - add www
<VirtualHost 127.0.0.1:443>
ServerName EXAMPLE-1.com
SSLEngine on
SSLCertificateFile /PATH/TO/CERT.crt
SSLCertificateChainFile /PATH/TO/CHAIN/FILE.pem
SSLCertificateKeyFile /PATH/TO/KEY.key
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost 127.0.0.1:443>
ServerName WWW.EXAMPLE-1.com
SSLCertificateFile /PATH/TO/CERT.crt
SSLCertificateChainFile /PATH/TO/CHAIN/FILE.pem
SSLCertificateKeyFile /PATH/TO/KEY.key
...
</VirtualHost>Sample example configuration blocks are above and remember, the new free Certificate Authority Let’s Encrypt is coming online Summer 2015 so don’t buy any multi-year certificates and do get up to speed on providing HTTPS to visitors. Privacy is a hot topic and you boost your search rankings if you care about that kind of thing.