HTTPS and HSTS for Redirect Pointer

ben221199

New member
Joined
Nov 10, 2019
Messages
5
Hello all,

I'm validating my websites using the tool on https://internet.nl.
I have 3 domains:
- normalsite.nl (Normal domain)
- aliassite.nl (Pointer domain that behaves as alias for normalsite.nl)
- redirectsite.nl (Pointer that redirect the browser to normalsite.nl)

However, I fail the scan on some tests.
The fact is that redirecting doesn't work as I thought.

What I thought that would happen:

http://redirectsite.nl => https://redirectsite.nl (Secure) => https://normalsite.nl (Secure)

But what actually happens:

http://redirectsite.nl => http://normalsite.nl => https://normalsite.nl (Secure)
AND
https://redirectsite.nl (Secure) => https://normalsite.nl (Secure)

This will cause that I get the following error:
- HTTPS-redirect (because the domain is not first directing to its HTTPS version, but first to the HTTP version of normalsite.nl)

How to fix this?

Also, is it possible to set HSTS for a redirect pointer?

Thanks in advance

Ben
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
640
Location
Netherlands Germany
Site should first redirect to same so http to https first that is important for HSTS specs.
There was a bug with a DA version but is solved sofar i know

So example non https www < https www < https non www
so first redir is here http://www to https://www then redir to https://nonwww

I don't know how for alias as you have.
But my reply is to your:
- HTTPS-redirect (because the domain is not first directing to its HTTPS version, but first to the HTTP version of normalsite.nl)
Where probably something wrong ,

IS SSL enabled for /redirectsite.nl

Could you point only https://redirectsite.nl to https://normalsite.nl

So not pointing the http://redirectsite.nl itself ( this only to the https version itself of redirectsite.nl)

You can try that in the host template for the site only to test in GUI, or htaccess it seems not possible to have this doing the right way for now.
That is also through wen forwarding in GUI i guess?
 
Last edited:

ben221199

New member
Joined
Nov 10, 2019
Messages
5
I see mistakes in your answer.

For HSTS to work, you need from HTTP to HTTPS directly (not from HTTP to HTTP).
DirectAdmin does not do this yet.
I think this is a bug.

Look at this image: https://imgur.com/a/CCSt1Jv

The red arrows is the flow as how it is now.
The green arrows is the flow as it should be.

It's just one arrow that is wrong.
 

ben221199

New member
Joined
Nov 10, 2019
Messages
5
And some extra information:
- SSL/TLS is on, certificates from Let's Encrypt
- I force normalsite.nl to SSL/TLS, but for redirectsite this is not an option (because it's a pointer).
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
640
Location
Netherlands Germany
I see mistakes in your answer.

For HSTS to work, you need from HTTP to HTTPS directly (not from HTTP to HTTP).
DirectAdmin does not do this yet.
I think this is a bug.

Look at this image: https://imgur.com/a/CCSt1Jv

The red arrows is the flow as how it is now.
The green arrows is the flow as it should be.

It's just one arrow that is wrong.
Sorry the specs HSTS say you have to redirect first to the same domain/subdomain http < https first
Then you have to redirect that https to the domain with https from there that you want.

Yes i did write it the false way sorry, yup that was a bug , and is a problem with pointer see the/a solution i guess in update DA where you can have and change virtualhost for that.
https://www.directadmin.com/features.php?id=2505

https://forum.directadmin.com/showthread.php?t=59364&p=303790#post303790
 
Last edited:

ben221199

New member
Joined
Nov 10, 2019
Messages
5
You're talking about alias pointers when using pointers_own_virtualhosts.
I'm talking about the non-alias pointers, the ones that redirect.
 

ben221199

New member
Joined
Nov 10, 2019
Messages
5
The non-alias pointer domain already have there own virtual host. I can set some parameters and then it works for me, so that is not the problem. What I actually want is that the bug will be fixed, so that I do not have to set it for al domain pointers.
 
Top