https to http error "too many redirects"

Daniël Mostertman daniel at
Fri Mar 20 11:13:21 UTC 2015

Gena Makhomed schreef op 20-3-2015 om 12:05:
> On 20.03.2015 12:36, Dewangga Bachrul Alam wrote:
>> You'll _never_ reach http request since you set HSTS configuration :)
>> If you still want some http request on your web server, disable your
>> HSTS directive. (see Daniel statement on previous email).
> 1. HSTS enabled only on domain name
>    on domain name - no HSTS, no https and no redirects.
> 2. disabling HSTS is bad idea.
>    HSTS should be enabled on https servers.
> 3. please do not top post.
>    thank you.

1. Any website will want www. and non-www to show the same website. This 
can not be done in your configuration.

2. If any user goes to instead of it goes to the default website on 443, being in this case. If that certificate is valid for, the connection is built, and the HSTS is re-set in any 
browser for and you will end up on SSL time and time again.

3. I never said I thought it _should_ be disabled. In fact, I think 
https:// should always be used if possible, and http:// should be 
avoided at pretty much all times.

4. HSTS does not _need_ to be enabled for secure connections to work, 
it's a "very nice to have". But not mandatory. In his case, it probably 
gives more trouble than it's worth. However, I do agree that it 
_should_, like you said. But again, in his configuration that might not 
be possible to have the best possible solution for what's being wished for.

More information about the nginx mailing list