Always redirecting to https?

japicoder's picture

Hi all,

After more than 2 days trying to figure what can be the reason, this is like a desperate call of help.

First, thanks to perusio for the great work. I was using my own setup based on the distro files, but with your approach I've learned a lot.

I'm using nginx 1.0.13 + drupal6 + APC, migrated from an Apache configuration. It's a dedicated server where I host 4 different websites, only one has a SSL certificate and is where I have problems.

My issue is that I can't reach the http url, always I'm being redirected to https. It's really disconcerting me because I sure my drupal doesn't do the redirect, but it's occurring. I've redirected the canonical kallejeo.com to www.kallejeo.com but from this jumps to https://www.kallejeo.com. After doing a lot of tests a found that:

Is this a nginx issue? haven't found anything on the nginx maillist.

Any comment will be appreciated to shed some light to this extrange issue!

I attach a capture where is visible the extrange behaviour, if you see, there is a redirect from kallejeo.com to www.kallejeo.com with a 301 status, but there is no status in the next redirect!

Thanks in advance!
Javi

AttachmentSize
http_to_https.jpg35.7 KB

Comments

Check your nginx config for a

brianmercer's picture

Check your nginx config for a line like:

add_header Strict-Transport-Security "max-age=7200";

If you're using that feature, it's doing what it is designed to do.

When I visit your site on http I get http. Only after I visit the https site do I get redirected.

No redirect here

perusio's picture

curl -I  http://www.kallejeo.com/
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Mar 2012 17:12:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=10
Vary: Accept-Encoding
Set-Cookie: SESS4f7af916f67cf1a67889a1a352259602=6lclv0bhf1k0g5luk09j435ja2; expires=Fri, 06-Apr-2012 20:45:31 GMT; path=/; domain=.kallejeo.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Last-Modified: Wed, 14 Mar 2012 17:12:11 GMT
Cache-Control: no-cache
X-Micro-Cache: MISS

Note that you're sending a cookie for anon users. That pierces the Nginx cache. I suggest you switch to pressflow or use no_anon.

EDIT: Pay attention that browsers memorize 301 redirects. Until you get the redirect where you want use always a 302. That's my suggestion.

Hi, I'm using no_anon to

japicoder's picture

Hi,
I'm using no_anon to avoid sending cookies to anonymous users, as well to avoid send to bots too, but is obvious something is not working right.

Anyway, I will try your suggestion, I'm sure this all can help.

Thanks for your reply!

Thanks for your quick reply,

japicoder's picture

Thanks for your quick reply, brianmercer

In my HTTPS server config I added this to protect website againts BEAST attacks:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

My config was based on perusio's so I decided to comment out the line you just indicated me.

Yep, I'm not an SSL expert so I figured out that lines will be ok. Clearing browser's cache didn't help so I supposed it was another issue. It makes sense to me, because I'm telling SSL to have a long max-age ...

"When I visit your site on http I get http. Only after I visit the https site do I get redirected."

This paragraph makes me feel better, fiuuuuu :-) I'm going to prepare a double cup of tila and return to check it again. Thanks!

The STS setting

perusio's picture

is stored in the sqlite database that modern browsers use. To clear it either go through the interface and clear the setting or connect to sqlite DB and clear the value of STS for your site.

Browsers today are almost too smart for our own good.

Browsers can be finicky about

brianmercer's picture

Browsers can be finicky about clearing STS. Try adding this:

add_header Strict-Transport-Security "max-age=0";

You may have removed it from

brianmercer's picture

You may have removed it from the main page but you're still sending it from css files:

#curl -I https://www.kallejeo.com/sites/default/files/css/css_0f731080e7027fd982c...
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Mar 2012 19:28:05 GMT
Content-Type: text/css
Content-Length: 48433
Last-Modified: Wed, 14 Mar 2012 15:18:30 GMT
Connection: keep-alive
Keep-Alive: timeout=75
Vary: Accept-Encoding
Expires: Fri, 13 Apr 2012 19:28:05 GMT
Cache-Control: max-age=2592000
Strict-Transport-Security: max-age=7200
Accept-Ranges: bytes

Wow, you're amazing guys

japicoder's picture

The problem was on the browser side. On my HTTPS config I had this:

## Server certificate and key.
ssl  on;
ssl_certificate  /etc/ssl/certs/www.kallejeo.com.crt;
ssl_certificate_key  /etc/ssl/private/www.kallejeo.com.key;
ssl_verify_depth 3;

## Proteccion para evitar ataque BEAST
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

## Strict Transport Security header for enhanced security. See
## http://www.chromium.org/sts. I've set it to 2 hours; set it to
## whichever age you want.
add_header Strict-Transport-Security "max-age=7200";

The first time you access to the web site it shows the http version. If now access to the https, the Strict-Transport-Security tells browser to always redirect to HTTPS. I wasn't aware of! I'm not a SSL guru nor I didn't known about HSTS (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). Modern browsers support it and seems not easy to return to original behaviour, when you can see a page with http.

I've tried changing this line:

add_header Strict-Transport-Security "max-age=0";

But the browser still remembers the old header. For those like who wants to try http, the only way I found is like perusio tells, access to the STS cache and clear your web site data. To achieve this:

  • Chrome: Open new tab and go to chrome://net-internals/#hsts
    Check your domain in Query domain o delete it on Delete domain.

  • Firefox: using a max-age=200 was enougth

After this, I can again access to http://www.kallejeo.com :-)

Many thanks for your replies, their put me on the correct way!

I have the same problem

sumithb's picture

I have the same problem but I am using Apache and mySQL please help me.