Geek Answers Handbook

What is the most effective code for detecting and redirecting browsers supported by SNI?

Let's say I have mywebsite.com hosted using Apache Httpd. Now I want that whenever a user enters mywebsite.com or www.mywebsite.com , and if the browser supports SNI, he should redirect to https://www.mywebsite.com else redirect to http://www.mywebsite.com .

So what is the most effective way to achieve it?

+7
ssl .htaccess sni
source share
4 answers

The code below should work

 Options -Indexes +FollowSymLinks RewriteEngine on RewriteCond %{HTTP_HOST} ^mywebsite.com$ RewriteCond %{HTTPS} (on|off) RewriteRule ^(.*)$ http://www.mywebsite.com/$1 [R=302,L] RewriteCond %{HTTPS} off RewriteCond %{HTTP_USER_AGENT} !MSIE\s6 RewriteCond %{HTTP_USER_AGENT} !Windows\sNT\s5 RewriteCond %{HTTP_USER_AGENT} !^(.*.symbian.*) [NC] RewriteCond %{HTTP_USER_AGENT} !^(.*.blackberry.*) [NC] RewriteRule ^(.*)$ https://www.mywebsite.com/$1 [R=302,L]

Here we neglect most browsers that do not support SNI, and therefore only the http version will be downloaded for them.

+2
source share

The best solution would be

  #Test if new browser and if so redirect to https #new browser is not MSIE 5-8, not Android 0-3, #not any symbian and not any blackbery RewriteCond %{HTTPS} off RewriteCond %{HTTP_USER_AGENT} !MSIE\ [5-8] [NC] RewriteCond %{HTTP_USER_AGENT} !Android.*(Mobile)?\ [0-3] [NC] RewriteCond %{HTTP_USER_AGENT} !^(.*.symbian.*) [NC] RewriteCond %{HTTP_USER_AGENT} !^(.*.blackberry.*) [NC] RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This ignores MSIE 5-8, which excludes all IE on XP, plus some that will work. But it allows XP with chrome, firefox, opera, all of which support SNI on XP. This at least allows XP users to use https. Similarly, he assumes that all Symbian, blackbery do not have sni. And this Android 3 does (what tablets tell me, phones need 4).

For another solution, you may have

  #Could use this to set $_SERVER['SSL_TLS_SNI'] for php SetEnv SSL_TLS_SNI %{SSL:SSL_TLS_SNI}

This will install $ _SERVER ['SSL_TLS_SNI'] either in% {SSL: SSL_TLS_SNI} (yes, maybe the code is better) or in the domain name. If you know what the default certificate is, which apache returns and has access to this domain, then in other domains you can force php to execute test https in the default domain and then check $ _SERVER ['SSL_TLS_SNI'] to check SNI before switching to https.

Please note: there is no way to avoid the error message if the non-sni browser does https to the site that needs sni. The best you can do is

  # Test if SNI will work and if not redirect to too old browser page RewriteCond %{HTTPS} on RewriteCond %{SSL:SSL_TLS_SNI} ="" RewriteRule ^ http://www.example.com/too-old-browser [L,R=307]

The user must accept the browser error and go to the website, after which he is redirected to http and the error page.

+1
source share

This is what I used based on the answers above.

 RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=302] RewriteCond %{HTTP_USER_AGENT} !MSIE\s7 RewriteCond %{HTTP_USER_AGENT} !Windows\sNT\s5 RewriteCond %{HTTP_USER_AGENT} !Android.*(Mobile)?\ [0-3] [NC] RewriteCond %{HTTP_USER_AGENT} !^(.*.symbian.*) [NC] RewriteCond %{HTTP_USER_AGENT} !^(.*.blackberry.*) [NC] RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] RewriteCond %{HTTP_HOST} !^$ RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteCond %{HTTPS}s ^on(s)| RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This overwrites http first and then rewrites https if useragent is not specified. I don't know if this is bad with two rewrites, but I'm sure Google and other relevant bots prefer https indexing. This method achieves this (I think :)

My reverse way of doing this, but it seems to work. I am sure that your best blacklisted browsers and their transitions to HTTP, and not to whitelisting browsers, as there is too much to add.

Each site is different and depending on security, there may be an option above.

Please let me know your thoughts.

+1
source share

You can configure a second server that will work only with SNI and make a page on your first site, make an Ajax request (perhaps with some identifier, if necessary).

If the client does not support SNI, the server will have an invalid certificate for the requested host name. Therefore, the Ajax request will not work. Your original page may have responded to this failure, which indicates that SNI is not supported.

Of course, this is not ideal, but it may be better than depending on an explicit list of user agents (depending on the limitations that you have). This would be more in terms of the quality of testing client capabilities.

0
source share

More articles:


All Articles