https to http error "too many redirects"

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Fri Mar 20 10:36:54 UTC 2015 

Hi!

You'll _never_ reach http request since you set HSTS configuration :)
If you still want some http request on your web server, disable your
HSTS directive. (see Daniel statement on previous email).

On 03/20/2015 05:14 PM, Gena Makhomed wrote:
> On 20.03.2015 11:35, Daniël Mostertman wrote:
> 
>> You said that in your configuration, you have the following line:
>>
>> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6
>> months)
>> add_header Strict-Transport-Security max-age=15768000;
>>
>> This makes nginx send a HSTS header to browsers that visit the website.
>> With this, you tell the browser to always use https:// and never use
>> http://, for the whole website.
>> If you do not disable this, any and all requests done to the site will
>> make sure that any requests for the next 6 months of that visit (you set
>> it to 6 months), will always, no matter what the user or redirect
>> types/does, use https://.
>>
>> If you want to avoid this behaviour, you should first reduce the
>> duration of the header (max-age=) to 1 second, so that browsers will
>> reduce the remaining time to 1 second.
>> Then disable it after a few days/a week, depending on how long you think
>> users take to return to your website.
> 
> HSTS is good thing and should not be disabled.
> 
> if you need http only for some uri - better create separate server,
> on different server_name, which works only on http, and leave https
> server for all rest https uri. for example:
> 
> server {
>   listen  443 ssl;
>   server_name www.example.com;
> 
>   # HSTS (15768000 seconds = 6 months)
>   add_header Strict-Transport-Security max-age=15768000;
> 
>   ... # HTTPS-only
> }
> 
> server {
>   listen 80;
>   server_name www.example.com;
>   location / { return 301 https://www.example.com$request_uri; }
> }
> 
> server {
>   listen 80;
>   server_name example.com;
>   location / { return 301 https://www.example.com$request_uri; }
> 
>   location = /mobile/PayOnlyResult.do {
>     ... # HTTP-only
>   }
>   location = /kor/tel.do {
>     ... # HTTP-only
>   }
> }
> 
> www.example.com - HTTPS-only, example.com - HTTP-only.
>

More information about the nginx mailing list