https to http error "too many redirects"
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Fri Mar 20 10:36:54 UTC 2015
Hi!
You'll _never_ reach http request since you set HSTS configuration :)
If you still want some http request on your web server, disable your
HSTS directive. (see Daniel statement on previous email).
On 03/20/2015 05:14 PM, Gena Makhomed wrote:
> On 20.03.2015 11:35, Daniël Mostertman wrote:
>
>> You said that in your configuration, you have the following line:
>>
>> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6
>> months)
>> add_header Strict-Transport-Security max-age=15768000;
>>
>> This makes nginx send a HSTS header to browsers that visit the website.
>> With this, you tell the browser to always use https:// and never use
>> http://, for the whole website.
>> If you do not disable this, any and all requests done to the site will
>> make sure that any requests for the next 6 months of that visit (you set
>> it to 6 months), will always, no matter what the user or redirect
>> types/does, use https://.
>>
>> If you want to avoid this behaviour, you should first reduce the
>> duration of the header (max-age=) to 1 second, so that browsers will
>> reduce the remaining time to 1 second.
>> Then disable it after a few days/a week, depending on how long you think
>> users take to return to your website.
>
> HSTS is good thing and should not be disabled.
>
> if you need http only for some uri - better create separate server,
> on different server_name, which works only on http, and leave https
> server for all rest https uri. for example:
>
> server {
> listen 443 ssl;
> server_name www.example.com;
>
> # HSTS (15768000 seconds = 6 months)
> add_header Strict-Transport-Security max-age=15768000;
>
> ... # HTTPS-only
> }
>
> server {
> listen 80;
> server_name www.example.com;
> location / { return 301 https://www.example.com$request_uri; }
> }
>
> server {
> listen 80;
> server_name example.com;
> location / { return 301 https://www.example.com$request_uri; }
>
> location = /mobile/PayOnlyResult.do {
> ... # HTTP-only
> }
> location = /kor/tel.do {
> ... # HTTP-only
> }
> }
>
> www.example.com - HTTPS-only, example.com - HTTP-only.
>
More information about the nginx
mailing list