I am really thankful you posted this, because I have exactly the same issue, i.e.,
http://DOMAIN redirects directly to
https://www.DOMAIN, combining the redirect to HTTPS and the one to the
I know it would have been the "easy" solution.
Note that there are reasons to use a subdomain like
www, as has been discussed on several occasions already, and so this choice is completely understandable.
但是，HSTS无法(至少尚未)组合两个重定向:它只能将直接转发到HTTPS.我想如果HSTS预加载站点检测到这不是普通HTTP服务器本身所做的事，那么不允许对HTTPS强制执行"307内部重定向". (据我所知，此要求未在 hstspreload.org 中明确说明，但只能由实际上试图设置HSTS的预加载.)
However, HSTS has no way (at least not yet) to combine the two redirects: It can only forward directly to HTTPS. I suppose that if the HSTS preload site detects that this is not what the plain HTTP server itself does, then enforcing a "307 internal redirect" to just HTTPS is not admissible. (As far as I can tell, this requirement is not explicitly stated on hstspreload.org, but can only be found out by actually trying to set up the HSTS preload.)
I have no full answer to your question, but I can provide a bit more information on a few points you raise:
If you are serving a redirect, that redirect must have the HSTS header, not the page it redirects to.
请注意 hstspreload.org 的确切(当前)报价:
Please note the exact (current) quote from hstspreload.org:
If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
As far as I know there is no way to serve such thing as a HSTS header when doing a redirect ...
It is completely possible that a HTTP redirect response also has an HSTS header. This only means that the HTTP redirect response also contains a
Strict-Transport-Security header field with suitable parameters. For example, using SWI-Prolog as HTTP server, you can emit such responses like this:
?- http_status_reply(moved('https://***.com'), current_output, [strict_transport_security('max-age=63072000; includeSubdomains')], Code).
HTTP/1.1 301 Moved Permanently Date: Sun, 12 Feb 2017 10:04:55 GMT Location: https://***.com Strict-Transport-Security: max-age=63072000; includeSubdomains Content-Length: 366 Content-Type: text/html; charset=UTF-8 etc.
请注意，仅当已使用TLS 时，才允许使用此标头字段(否则，攻击者可能会通过未经身份验证的连接将流量强制发送到其他端口！).实际上，标头绝不能出现在HTTP→ HTTPS重定向中，因为它使用了未经身份验证的连接，如果(错误地) 发生在纯HTTP上，客户必须忽略它.
Note that this header field is only admissible when TLS is already being used (otherwise, an attacker could force traffic to a different port via a connection that is not authenticated!). In fact, the header must not occur in the HTTP→HTTPS redirect, because it uses an unauthenticated connection, and if it (incorrectly) does occur over plain HTTP, the client must ignore it.
Now to the actual main point of your question:
This poses a huge redirect dilution SEO problem (not to mention the fact that chained redirects are not ideal).
I completely agree that the chained redirects are far from ideal, and there seems to be no way around this with such (common!) setups as ours, at least not currently.
However, my personal hope is that the impact of the additional redirect will not impact your site's rank a lot: Theoretically, once a search engine sees that your site is in the HSTS preload list, all it should care for is the HTTPS version of it (because that's also what browers that support HSTS preload will do!). Therefore, you end up with only a single redirect, namely the
https://www.DOMAIN one, which should be rather comparable to your current situation. At least that's my somewhat naive hope. In this redirect, make sure that the HSTS header is included, since this is a requirement to get into the preload list. Of course the exact configuration details depend on your concrete web server.
Also, note that you cannot reinstate the original redirect chain even after you have made it into the HSTS preload list. This is because the Continued requirements section states: