16516
Have hosting account with an addon domain. Directory structure is as follows:
/public_html (main site is hosted in this directory)
/public_html/secondary_site/ (secondary site is hosted in this directory.
I am using the following .htaccess file in the public_html folder (and no .htaccess file in the secondary_site folder):
RewriteEngine On
# BEGIN Domain to folder mapping
# pointing HTTPS secondarysite.com to https://primarysite.com/secondarysite/
RewriteCond %{SERVER_PORT} ^443$
ReWriteCond %{HTTP_HOST} primarysite.com
ReWriteCond %{REQUEST_URI} !primarysite/
ReWriteRule ^(.*)$ https://primarysite.com/secondarysite/$1 [L]
# pointing HTTP secondarysite.com to http://primarysite.com/secondarysite/
RewriteCond %{SERVER_PORT} ^80$
ReWriteCond %{HTTP_HOST} secondarysite.com
ReWriteCond %{REQUEST_URI} !secondarysite/
ReWriteRule ^(.*)$ http://primarysite.com/secondarysite/$1 [L]
# END Domain to folder mapping
The second rule works fine for non-secure connections, it correctly forwards to the public_html/secondary_site directory.
However when I try to securely connect to secondarysite.com I am greeted with the warning page stating:
You attempted to reach secondarysite.com, but instead you actually reached a server identifying itself as primarysite.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of secondarysite.com.
If I click on the "I understand, proceed" button, it then takes me to the correct, SSL secured directory of public_html/secondary_site. The SSL lock is green and happy.
Why is this .htaccess file not catching requests for secondarysite and re-writing them to the primarysite structure before it has a chance to throw a fit about a bad certificate due to domains not matching?
Answer1:
(This is more or less the same problem as in this question, so I'll adapt my own answer from there.)
HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite, custom PHP code or other) will always apply after the SSL/TLS connection is established.
Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.
If you want to redirect from https://secondarysite.com to https://primarysite.com, the certificate obtained for https://secondarysite.com must be valid for secondarysite.com (and then, the certificate obtained for https://primarysite.com must be valid for primarysite.com).
(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but not all clients would necessarily support it.)
The easiest would be to obtain a certificate that's valid for both secondarysite.com and primarysite.com. This can be done using a single certificate with multiple Subject Alternative Name entries.
