Hi all,
After more than 2 days trying to figure what can be the reason, this is like a desperate call of help.
First, thanks to perusio for the great work. I was using my own setup based on the distro files, but with your approach I've learned a lot.
I'm using nginx 1.0.13 + drupal6 + APC, migrated from an Apache configuration. It's a dedicated server where I host 4 different websites, only one has a SSL certificate and is where I have problems.
My issue is that I can't reach the http url, always I'm being redirected to https. It's really disconcerting me because I sure my drupal doesn't do the redirect, but it's occurring. I've redirected the canonical kallejeo.com to www.kallejeo.com but from this jumps to https://www.kallejeo.com. After doing a lot of tests a found that:
- If I use lynx to access to http://www.kallejeo.com, it doesn't redirect to https.
- If I put some other different file not related to drupal, it is redirected to https too, i.e. if I access http://www.kallejeo.com/japicodertest.php, it is redirected to https://www.kallejeo.com/japicodertest.php.
- If I duplicate this site changing the domain name, like www.japicodertest.com, it doesn't redirect to https (I suppose that because SSL is for www.kallejeo.com, it won't to redirect).
Is this a nginx issue? haven't found anything on the nginx maillist.
Any comment will be appreciated to shed some light to this extrange issue!
I attach a capture where is visible the extrange behaviour, if you see, there is a redirect from kallejeo.com to www.kallejeo.com with a 301 status, but there is no status in the next redirect!
Thanks in advance!
Javi
Attachment | Size |
---|---|
http_to_https.jpg | 35.7 KB |
Comments
Check your nginx config for a
Check your nginx config for a line like:
add_header Strict-Transport-Security "max-age=7200";
If you're using that feature, it's doing what it is designed to do.
When I visit your site on http I get http. Only after I visit the https site do I get redirected.
No redirect here
curl -I http://www.kallejeo.com/
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Mar 2012 17:12:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=10
Vary: Accept-Encoding
Set-Cookie: SESS4f7af916f67cf1a67889a1a352259602=6lclv0bhf1k0g5luk09j435ja2; expires=Fri, 06-Apr-2012 20:45:31 GMT; path=/; domain=.kallejeo.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Last-Modified: Wed, 14 Mar 2012 17:12:11 GMT
Cache-Control: no-cache
X-Micro-Cache: MISS
Note that you're sending a cookie for anon users. That pierces the Nginx cache. I suggest you switch to pressflow or use no_anon.
EDIT: Pay attention that browsers memorize 301 redirects. Until you get the redirect where you want use always a 302. That's my suggestion.
Hi, I'm using no_anon to
Hi,
I'm using no_anon to avoid sending cookies to anonymous users, as well to avoid send to bots too, but is obvious something is not working right.
Anyway, I will try your suggestion, I'm sure this all can help.
Thanks for your reply!
Thanks for your quick reply,
Thanks for your quick reply, brianmercer
In my HTTPS server config I added this to protect website againts BEAST attacks:
My config was based on perusio's so I decided to comment out the line you just indicated me.
Yep, I'm not an SSL expert so I figured out that lines will be ok. Clearing browser's cache didn't help so I supposed it was another issue. It makes sense to me, because I'm telling SSL to have a long max-age ...
"When I visit your site on http I get http. Only after I visit the https site do I get redirected."
This paragraph makes me feel better, fiuuuuu :-) I'm going to prepare a double cup of tila and return to check it again. Thanks!
The STS setting
is stored in the sqlite database that modern browsers use. To clear it either go through the interface and clear the setting or connect to sqlite DB and clear the value of STS for your site.
Browsers today are almost too smart for our own good.
Browsers can be finicky about
Browsers can be finicky about clearing STS. Try adding this:
add_header Strict-Transport-Security "max-age=0";
You may have removed it from
You may have removed it from the main page but you're still sending it from css files:
#curl -I https://www.kallejeo.com/sites/default/files/css/css_0f731080e7027fd982c...
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Mar 2012 19:28:05 GMT
Content-Type: text/css
Content-Length: 48433
Last-Modified: Wed, 14 Mar 2012 15:18:30 GMT
Connection: keep-alive
Keep-Alive: timeout=75
Vary: Accept-Encoding
Expires: Fri, 13 Apr 2012 19:28:05 GMT
Cache-Control: max-age=2592000
Strict-Transport-Security: max-age=7200
Accept-Ranges: bytes
Wow, you're amazing guys
The problem was on the browser side. On my HTTPS config I had this:
The first time you access to the web site it shows the http version. If now access to the https, the Strict-Transport-Security tells browser to always redirect to HTTPS. I wasn't aware of! I'm not a SSL guru nor I didn't known about HSTS (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). Modern browsers support it and seems not easy to return to original behaviour, when you can see a page with http.
I've tried changing this line:
add_header Strict-Transport-Security "max-age=0";
But the browser still remembers the old header. For those like who wants to try http, the only way I found is like perusio tells, access to the STS cache and clear your web site data. To achieve this:
Chrome: Open new tab and go to chrome://net-internals/#hsts
Check your domain in Query domain o delete it on Delete domain.
Firefox: using a max-age=200 was enougth
After this, I can again access to http://www.kallejeo.com :-)
Many thanks for your replies, their put me on the correct way!
I have the same problem
I have the same problem but I am using Apache and mySQL please help me.