Redirect SSL to another SSL

Question

I got several https://*.rest-service.mydomain.com. As the number of services increases, I feel managing SSL cert is costly. I bought a wildcard cert for *.mydomain.com.

Newly added services are placed under mydomain.com with a new wildcard cert and it works well. However, as always, legacy is an issue.

I still have a lot of https traffic to https://*.rest-service.mydomain.com, and its old cert is going to expire.

In this situation, is there any good approach to redirect legacy https traffics to the new one?

Since the client still knows only legacy endpoint https://*.rest-service.mydomain.com, can I redirect the client to the new server https://*.mydomain.com and handle the request as well?

I use nginx as a web server and ELB for a load balancer.

Answer 1

... and its old cert is going to expire.

While you can redirect from ssl to ssl (see the other answer) you still need to have a valid certificate for the host you redirect from. This means the redirection will stop working (or at least cause certificate validation errors) once the old cert expired. To fix this you need to renew the certificate.

Apart from that you must be sure that the services can actually deal with redirection. While a browser handles redirection in a transparent way for the user that is not necessary the case for applications using a REST API. These might expect to get the response directly and not a redirection which they have to follow and resubmit the REST request.

Answer 2

Try this regexp-ed server:

server {
  server_name  ~^(?P<subdomain>.+)\.rest-service\.mydomain\.com$;
  listen 443 ssl;
  return 301 https://$subdomain.mydomain.com$request_uri;
}