Apex Domain HTTPS Redirect
I recently broke the apex domain HTTPS redirect to my sub-domain. Investigating the issue revealed the complexities of this behavior and, as a result, I’m writing about some of those contributing factors.
An apex domain is a custom domain that does not contain a subdomain, such as example.com . Apex domains are also known as base, bare, naked, root apex, or zone apex domains. An apex domain is configured with an A , ALIAS , or ANAME record through your DNS provider.
We need our apex domain to resolve to something that can preform the redirect.
CNAME records are incompatible with apex domains, but we can use traditional
A or a DNS specific
$ dig +short jamesmoriarty.xyz 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
The above example is an Amazon Web Services (AWS) Route53 ALIAS record resolving to CloudFront.
We need to provide the client with TLS connectivity. This requires a certificate and something to facilitate TLS. Automated issuing and renewal of certificates can be facilitated with Let’s Encrypt or AWS Certificate Manager.
$ openssl s_client -connect jamesmoriarty.xyz:443 CONNECTED(00000190) depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = jamesmoriarty.xyz verify return:1 ---
The above example is validating TLS connectivity with OpenSSL being facilitated by CloudFront.
We will need to redirect the client to the sub-domain. To support the widest possible number of clients, we will often do this at the HTTP protocol level.
$ curl -v https://jamesmoriarty.xyz/ -o /dev/null ... > GET / HTTP/2 > Host: jamesmoriarty.xyz > user-agent: curl/7.68.0 ... > < HTTP/2 301 < content-length: 0 < location: http://www.jamesmoriarty.xyz/index.html ...
The above example is verbose curl output to validate the HTTP protocol interaction being facilitated by S3 static website hosting redirect function:
The following diagram illustrates the HTTPS redirect for my personal website.