Closed fregante closed 3 years ago
Great idea because without https it's unusable for me!
Same problem here, http redirect works fine, https does not work.
Unfortunately redirecting using https doesn't work because redirect.center needs the certificate for each domain, using DNS only it's not possible. I might create this possibility in the future but it needs to be a different project and might have some costs.
My experimental instance at https://redirect.lelux.fi/ supports HTTPS (uploading scripts&haproxy config soon).
It generates certificates (using certbot) & deploys the certificates to my HAProxy instance automatically uses Caddy on-demand TLS, triggered from loading the domain in a browser.
About A records: If you can, please use CNAME flattening/ANAME/ALIAS records in a situation where you can't use CNAMEs (such as apex/"naked" domains) if your DNS provider supports them (Cloudflare/Gandi/DnsMadeEasy/Namecheap/etc. do). If you can't, set an A record.
Please do not point wildcards though, as it would get me ratelimited from LE's API when many of those subdomains are accessed by some scanner bots
And most of the subdomains would not work before a cert has to be generated, so users would get only TLS connection errors which would degrade the experience.
Code available here:
https://github.com/theel0ja/redirect.center-cert-ask
Uses Caddy for on-demand HTTPS and PHP script to validate CNAME (optional)
We can frontend with nginx to add HTTPS. Let's Encrypt also supports wildcard domains which seem to work with the browsers I have tried. If hostname is redirect.center, obtain a certificate for *.center to cover all subdomains. I have also successfully frontended with AWS CloudFront using a wildcard alternate domain.
#!/bin/bash
sudo apt-get install -y nginx python3-certbot-nginx
# wildcard cert requires DNS validation (can be scripted using https://github.com/acmesh-official/acme.sh)
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.center --agree-tos --email bob@example.com --manual --preferred-challenges dns-01 certonly
cat <<EOT > /etc/nginx/sites-available/default
server {
listen 80;
server_name redirect.center;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3000;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/center/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/center/privkey.pem;
server_name redirect.center;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3000;
}
}
EOT
sudo systemctl restart nginx
Edit: Probably should mention this assumes all your redirect domains will share a common parent domain as ours do eg. test.center in this case.
Current configuration, it redirects any subdomain to https://twitter.com/fregante.
It works when visiting
http
URLs: (example using httpie)But it doesn't when the URL is already HTTPS:
Nowadays this can be done via Let's Encrypt, at least for requests following the first one (since it might take more than a few seconds to validate the domain)