HSTS Redirects WWW to non-WWW
Colleagues requested to +www.domain.hk rather only domain.hk.
It is because of more friendly sharing posts on Facebook.
At the beginning:
Not work, however.
Tried different solutions. Both also got the method failed, such as:
Finally, as the service hours, not much time free.
Back to the simple:
References
Update
It is because of more friendly sharing posts on Facebook.
At the beginning:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://domain.org.hk/$1 [L,R=301]
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://domain.org.hk/$1 [L,R=301]
Not work, however.
Tried different solutions. Both also got the method failed, such as:
Your connection is not private
Attackers might be trying to steal your information from www.domain.hk (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
www.domain.hk normally uses encryption to protect your information. When Google Chrome tried to connect to www.domain.hk this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.domain.hk, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit www.domain.hk right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
Attackers might be trying to steal your information from www.domain.hk (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
www.domain.hk normally uses encryption to protect your information. When Google Chrome tried to connect to www.domain.hk this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.domain.hk, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit www.domain.hk right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
Finally, as the service hours, not much time free.
Back to the simple:
certbot --apache -d domain.hk -d www.domain.hk
References
- HSTS Redirects; WWW to non-WWW and HTTP to HTTPS
https://www.sentinelstand.com/article/http-strict-transport-security-hsts-canonical-www-redirects
- How to configure HSTS on www and other subdomains
https://www.danielmorell.com/blog/how-to-configure-hsts-on-www-and-other-subdomains
- The Importance of a Proper HTTP Strict Transport Security Implementation on Your Web Server
https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
- .htaccess Redirect Generator
https://www.danielmorell.com/tools/htaccess/redirect-generator
- https://hstspreload.org/
- https://https.cio.gov/hsts/
Update