Always redirecting to https?

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by japicoder on March 14, 2012 at 4:37pm

Hi all,

After more than 2 days trying to figure what can be the reason, this is like a desperate call of help.

First, thanks to perusio for the great work. I was using my own setup based on the distro files, but with your approach I've learned a lot.

I'm using nginx 1.0.13 + drupal6 + APC, migrated from an Apache configuration. It's a dedicated server where I host 4 different websites, only one has a SSL certificate and is where I have problems.

My issue is that I can't reach the http url, always I'm being redirected to https. It's really disconcerting me because I sure my drupal doesn't do the redirect, but it's occurring. I've redirected the canonical kallejeo.com to www.kallejeo.com but from this jumps to https://www.kallejeo.com. After doing a lot of tests a found that:

Is this a nginx issue? haven't found anything on the nginx maillist.

Any comment will be appreciated to shed some light to this extrange issue!

I attach a capture where is visible the extrange behaviour, if you see, there is a redirect from kallejeo.com to www.kallejeo.com with a 301 status, but there is no status in the next redirect!

Thanks in advance!
Javi

AttachmentSize
http_to_https.jpg 35.7 KB
Categories: ,

Comments

Check your nginx config for a

Posted by brianmercer on March 14, 2012 at 4:58pm

Check your nginx config for a line like:

add_header Strict-Transport-Security "max-age=7200";

If you're using that feature, it's doing what it is designed to do.

When I visit your site on http I get http. Only after I visit the https site do I get redirected.

No redirect here

Posted by perusio on March 14, 2012 at 5:17pm
curl -I http://www.kallejeo.com/
HTTP/1.1 200 OK
Server: nginx
Date: 2012年3月14日 17:12:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=10
Vary: Accept-Encoding
Set-Cookie: SESS4f7af916f67cf1a67889a1a352259602=6lclv0bhf1k0g5luk09j435ja2; expires=Fri, 06-Apr-2012 20:45:31 GMT; path=/; domain=.kallejeo.com
Expires: 1970年1月01日 00:00:01 GMT
Last-Modified: 2012年3月14日 17:12:11 GMT
Cache-Control: no-cache
X-Micro-Cache: MISS

Note that you're sending a cookie for anon users. That pierces the Nginx cache. I suggest you switch to pressflow or use no_anon.

EDIT: Pay attention that browsers memorize 301 redirects. Until you get the redirect where you want use always a 302. That's my suggestion.

Hi, I'm using no_anon to

Posted by japicoder on March 14, 2012 at 5:25pm

Hi,
I'm using no_anon to avoid sending cookies to anonymous users, as well to avoid send to bots too, but is obvious something is not working right.

Anyway, I will try your suggestion, I'm sure this all can help.

Thanks for your reply!

Thanks for your quick reply,

Posted by japicoder on March 14, 2012 at 5:19pm

Thanks for your quick reply, brianmercer

In my HTTPS server config I added this to protect website againts BEAST attacks:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

My config was based on perusio's so I decided to comment out the line you just indicated me.

Yep, I'm not an SSL expert so I figured out that lines will be ok. Clearing browser's cache didn't help so I supposed it was another issue. It makes sense to me, because I'm telling SSL to have a long max-age ...

"When I visit your site on http I get http. Only after I visit the https site do I get redirected."

This paragraph makes me feel better, fiuuuuu :-) I'm going to prepare a double cup of tila and return to check it again. Thanks!

The STS setting

Posted by perusio on March 14, 2012 at 11:31pm

is stored in the sqlite database that modern browsers use. To clear it either go through the interface and clear the setting or connect to sqlite DB and clear the value of STS for your site.

Browsers today are almost too smart for our own good.

Browsers can be finicky about

Posted by brianmercer on March 14, 2012 at 5:58pm

Browsers can be finicky about clearing STS. Try adding this:

add_header Strict-Transport-Security "max-age=0";

You may have removed it from

Posted by brianmercer on March 14, 2012 at 7:29pm

You may have removed it from the main page but you're still sending it from css files:

#curl -I https://www.kallejeo.com/sites/default/files/css/css_0f731080e7027fd982c...
HTTP/1.1 200 OK
Server: nginx
Date: 2012年3月14日 19:28:05 GMT
Content-Type: text/css
Content-Length: 48433
Last-Modified: 2012年3月14日 15:18:30 GMT
Connection: keep-alive
Keep-Alive: timeout=75
Vary: Accept-Encoding
Expires: 2012年4月13日 19:28:05 GMT
Cache-Control: max-age=2592000
Strict-Transport-Security: max-age=7200
Accept-Ranges: bytes

Wow, you're amazing guys

Posted by japicoder on March 15, 2012 at 10:35am

The problem was on the browser side. On my HTTPS config I had this:

## Server certificate and key.
ssl on;
ssl_certificate /etc/ssl/certs/www.kallejeo.com.crt;
ssl_certificate_key /etc/ssl/private/www.kallejeo.com.key;
ssl_verify_depth 3;
## Proteccion para evitar ataque BEAST
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
## Strict Transport Security header for enhanced security. See
## http://www.chromium.org/sts. I've set it to 2 hours; set it to
## whichever age you want.
add_header Strict-Transport-Security "max-age=7200";

The first time you access to the web site it shows the http version. If now access to the https, the Strict-Transport-Security tells browser to always redirect to HTTPS. I wasn't aware of! I'm not a SSL guru nor I didn't known about HSTS (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). Modern browsers support it and seems not easy to return to original behaviour, when you can see a page with http.

I've tried changing this line:

add_header Strict-Transport-Security "max-age=0";

But the browser still remembers the old header. For those like who wants to try http, the only way I found is like perusio tells, access to the STS cache and clear your web site data. To achieve this:

  • Chrome: Open new tab and go to chrome://net-internals/#hsts
    Check your domain in Query domain o delete it on Delete domain.

  • Firefox: using a max-age=200 was enougth

After this, I can again access to http://www.kallejeo.com :-)

Many thanks for your replies, their put me on the correct way!

I have the same problem

Posted by sumithb on February 4, 2013 at 8:28am

I have the same problem but I am using Apache and mySQL please help me.

Nginx

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /