https to http error "too many redirects"

[Daniël Mostertman]

Gena Makhomed schreef op 20-3-2015 om 12:05:
> On 20.03.2015 12:36, Dewangga Bachrul Alam wrote:
>
>> You'll _never_ reach http request since you set HSTS configuration :)
>> If you still want some http request on your web server, disable your
>> HSTS directive. (see Daniel statement on previous email).
>
> 1. HSTS enabled only on domain name www.example.com
>    on domain name example.com - no HSTS, no https and no redirects.
>
> 2. disabling HSTS is bad idea.
>    HSTS should be enabled on https servers.
>
> 3. please do not top post.
>    thank you.
>

1. Any website will want www. and non-www to show the same website. This 
can not be done in your configuration.

2. If any user goes to https://example.com/ instead of 
https://www.example.com/ it goes to the default website on 443, being 
www.example.com in this case. If that certificate is valid for 
example.com, the connection is built, and the HSTS is re-set in any 
browser for example.com and you will end up on SSL time and time again.

3. I never said I thought it _should_ be disabled. In fact, I think 
https:// should always be used if possible, and http:// should be 
avoided at pretty much all times.

4. HSTS does not _need_ to be enabled for secure connections to work, 
it's a "very nice to have". But not mandatory. In his case, it probably 
gives more trouble than it's worth. However, I do agree that it 
_should_, like you said. But again, in his configuration that might not 
be possible to have the best possible solution for what's being wished for.