https to http error "too many redirects"

Gena Makhomed gmm at csdoc.com
Fri Mar 20 10:14:19 UTC 2015


On 20.03.2015 11:35, Daniël Mostertman wrote:

> You said that in your configuration, you have the following line:
>
> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
> add_header Strict-Transport-Security max-age=15768000;
>
> This makes nginx send a HSTS header to browsers that visit the website.
> With this, you tell the browser to always use https:// and never use
> http://, for the whole website.
> If you do not disable this, any and all requests done to the site will
> make sure that any requests for the next 6 months of that visit (you set
> it to 6 months), will always, no matter what the user or redirect
> types/does, use https://.
>
> If you want to avoid this behaviour, you should first reduce the
> duration of the header (max-age=) to 1 second, so that browsers will
> reduce the remaining time to 1 second.
> Then disable it after a few days/a week, depending on how long you think
> users take to return to your website.

HSTS is good thing and should not be disabled.

if you need http only for some uri - better create separate server,
on different server_name, which works only on http, and leave https
server for all rest https uri. for example:

server {
   listen  443 ssl;
   server_name www.example.com;

   # HSTS (15768000 seconds = 6 months)
   add_header Strict-Transport-Security max-age=15768000;

   ... # HTTPS-only
}

server {
   listen 80;
   server_name www.example.com;
   location / { return 301 https://www.example.com$request_uri; }
}

server {
   listen 80;
   server_name example.com;
   location / { return 301 https://www.example.com$request_uri; }

   location = /mobile/PayOnlyResult.do {
     ... # HTTP-only
   }
   location = /kor/tel.do {
     ... # HTTP-only
   }
}

www.example.com - HTTPS-only, example.com - HTTP-only.

-- 
Best regards,
  Gena



More information about the nginx mailing list