https to http error "too many redirects"

Gena Makhomed gmm at csdoc.com
Fri Mar 20 11:41:06 UTC 2015


On 20.03.2015 13:13, Daniël Mostertman wrote:

>>> You'll _never_ reach http request since you set HSTS configuration :)
>>> If you still want some http request on your web server, disable your
>>> HSTS directive. (see Daniel statement on previous email).
>>
>> 1. HSTS enabled only on domain name www.example.com
>>    on domain name example.com - no HSTS, no https and no redirects.
>>
>> 2. disabling HSTS is bad idea.
>>    HSTS should be enabled on https servers.
>>
>> 3. please do not top post.
>>    thank you.
>>
>
> 1. Any website will want www. and non-www to show the same website. This
> can not be done in your configuration.

http://example.com and http://www.example.com show the same site:

server {
   listen 80;
   server_name example.com;
   location / { return 301 https://www.example.com$request_uri; }

   location = /mobile/PayOnlyResult.do {
     ... # HTTP-only
   }
   location = /kor/tel.do {
     ... # HTTP-only
   }
}

exception are done only for two uri, which are HTTP-only.

> 2. If any user goes to https://example.com/ instead of
> https://www.example.com/ it goes to the default website on 443, being
> www.example.com in this case. If that certificate is valid for
> example.com, the connection is built, and the HSTS is re-set in any
> browser for example.com and you will end up on SSL time and time again.

No problem,

server {
    listen 443 default_server;
    server_name example.com;

   location / { return 301 https://www.example.com$request_uri; }

   location = /mobile/PayOnlyResult.do {
     return 301 http://example.com$request_uri;
   }
   location = /kor/tel.do {
     return 301 http://example.com$request_uri;
   }
}

server {
   listen  443 ssl;
   server_name www.example.com;

   # HSTS (15768000 seconds = 6 months)
   add_header Strict-Transport-Security max-age=15768000;

   ... # HTTPS-only
}

HTTPS-site example.com is default site and does not have HSTS.

> 3. I never said I thought it _should_ be disabled. In fact, I think
> https:// should always be used if possible, and http:// should be
> avoided at pretty much all times.

Agree, I don't know why topic starter need such strange configuration.

> 4. HSTS does not _need_ to be enabled for secure connections to work,
> it's a "very nice to have". But not mandatory. In his case, it probably
> gives more trouble than it's worth. However, I do agree that it
> _should_, like you said. But again, in his configuration that might not
> be possible to have the best possible solution for what's being wished for.

I can't agree with you what disabling HSTS
on HTTPS-sites is the best possible way.

My way of solution may be more simple, if for HTTP-only server
use other name, for example, public.example.com
or legacy.example.com or static.example.com
or something like this.

In this case, www.example.com and example.com
can be both HTTPS-sites, without exceptions.

-- 
Best regards,
  Gena



More information about the nginx mailing list