• 7

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

HTTPS subdomain mistakenly redirected to domain

We have a web server running with two sites, I will call them domain.com and test.domain.com. We have an SSL certificate installed on the domain.com site, that covers both www.domain.com and domain.com. The test site does not have an SSL certificate.

When navigating to http:// test.domain.com we can successfully reach the test site. However, when navigating to https:// test.domain.com all traffic is redirected to https:// domain.com, more or less without the user knowing. This could possibly confuse someone into thinking he's working on the test site, when in fact changes are made in production.

The server is running IIS 6. The test site does not have an SSL port configured. The only host headers are domain.com and test.domain.com for the two sites respectively.

How can I make sure https:// test.domain.com does not redirect to https:// domain.com?

You can use SSL Host Headers, even with an untrusted/non-SAN/non-Wildcard certificate.


  • 0
Reply Report
      • 2
    • Will setting domain.com as the only ssl host header make it refuse connections that are made to test.domain.com? I would rather secure the test subdomain and give it its own ssl host header if I could, but I don't think the current certificate will allow it.
      • 1
    • Anything that doesn't have a host header will be a "catch all" - so just give the test subdomain site the host header, and the other one should get the lot.

ssl sites can not be assigned using host headers because the headers are encrypted. An ssl site responds to the ip+port that it is on. So it is responding because they are on a shared IP, not because it is being redirected.

You need to either run the sites on seperate ips or add something to the logic of your site that redirects from https to http when it sees that someone is using the wrong url.

  • 0
Reply Report

Are both sites using the same IP or not? If not, as soon as you tell the browser to use HTTPS, the server can't tell if you want test.domain.com or domain.com. This is because, as James mentioned, the host headers are encrypted. So whichever site the SSL certificate is assigned to will be the one that responds. So the best thing to try would be to edit the metabase and explicitly add a host header to the port 443 binding of domain.com. Basically this: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8d9f2a8f-cd23-448c-b2c7-f4e87b9e2d2c.mspx?mfr=true

Then IIS won't respond when you go to https://test.domain.com with a valid website at all unless you eventually add an SSL cert to the test.domain.com site.

  • 0
Reply Report

Trending Tags