Learn about Centmin Mod LEMP Stack today
Become a Member

SSL How to remove SSL 301 permanent redirect ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 4, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I haven't done this personally myself on a live production site with https to http switch. On test site it's easy being the only visitor, just clear browser's history, cache etc. Remove SSL and reboot computer. But live production site has visitors and the SSL 301 permanent redirect is permanently cached in visitors browsers so when you remove SSL and remove the SSL 301 permanent redirect from http to https, visitors will still get redirected from http to https unless they also clear browser history, cache and reboot their systems.

    So curious how @RoldanLT did it to revert from https to http

    IIRC, you first set in your SSL Nginx vhost server context HSTS TTL value to 0 ?

    so from

    Code:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    to


    Code:
    add_header Strict-Transport-Security "max-age=0; includeSubdomains;";
    how long did you leave that in place for https connections until you removed SSL and the 301 permanent redirect from http to https ?
     
  2. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    I have it there placed since the day one I revert back from https to HTTP only.
    Until now HTTPS server block is there but with "0" ZERO:
    add_header Strict-Transport-Security "max-age=0; includeSubdomains;";
     
  3. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    My current config :)
    Code:
    server {
            listen 80;
            server_name phcorner.net;
            return 301 http://www.phcorner.net$request_uri;
    }
    
    server {
        listen 80;
        server_name www.phcorner.net;
    
            access_log off;
        log_not_found off;
        error_log /home/nginx/domains/phcorner.net/log/error.log;
        root /home/nginx/domains/phcorner.net/public;
    
        ### Start Xenforo
        location / {
        
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
        location /internal_data {
            location ~ \.(data|html|php)$ {
            add_header X-Frame-Options SAMEORIGIN;
            add_header X-Content-Type-Options nosniff;
            internal;
            }
        internal;
        }
    
            location /library {
            location ~ \.(default|html|php|txt|xml)$ {
            internal;
            }
         internal;
        }
    
        ### End Xenforo
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php_phc.conf;
        include /usr/local/nginx/conf/drop.conf;
    }
    
    server {
            listen 443 ssl spdy;
            server_name phcorner.net www.phcorner.net;
        keepalive_timeout 70;
        return 301 http://www.phcorner.net$request_uri;
    
        add_header Strict-Transport-Security "max-age=0";
        add_header X-Content-Type-Options "nosniff";
        add_header Alternate-Protocol 443:npn-spdy/3;
           
        ssl_certificate /usr/local/nginx/conf/ssl/positivessl/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/positivessl/www_phcorner_net.key;
       
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:40m;
            ssl_session_timeout 60m;
        spdy_headers_comp 5;
        ssl_buffer_size 4k;
        ssl_session_tickets on;
    
        resolver 8.8.8.8 8.8.4.4 valid=900s;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/positivessl/ssl-trusted.crt;
    
            access_log off;
        log_not_found off;
        error_log /home/nginx/domains/phcorner.net/log/error.log;
        root /home/nginx/domains/phcorner.net/public;
    
     
    ### Start Xenforo
        location / {
        
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
        location /internal_data {
            location ~ \.(data|html|php)$ {
            add_header X-Frame-Options SAMEORIGIN;
            add_header X-Content-Type-Options nosniff;
            internal;
            }
        internal;
        }
    
            location /library {
            location ~ \.(default|html|php|txt|xml)$ {
            internal;
            }
         internal;
        }
    
        ### End Xenforo
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php_phc.conf;
        include /usr/local/nginx/conf/drop.conf;
    }
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Oh i see you permanent 301 redirected https to http in SSL vhost server context container + setup a full non-https server context container for port 80 http connections.

    how did that initial go over with your visitors ? they still needed to clear their browser caches etc ?
     
  5. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    Code:
    how did that initial go over with your visitors ? they still needed to clear their browser caches etc ?
    No, they don't need to do anything.
    They will just notice they are auto redirected back to http without any issues :)
     
  6. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    You can try it here for 1 day :D
    All user's will not notice the forum will be using HTTP only :D
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice good to know - this would be handy for folks wanting to go back from https to http :)

    I updated my SPDY SSL guide with 302 temp redirect for starters so folks can see if https is what they like. And only after they are sure should they change to 301 permanent redirects.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    have no intention on this forum.. but it's good to know :)
     
  9. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    4:53 PM
    We are about to do this for one site. The income hit is simply too much compared to any benefit SSL provides. Sad security and income can not go hand and hand.
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Shame indeed.

    Google Adsense should provide even more incentive for advertisers to be https / SSL compliant. Maybe I don't understand the whole picture, but for advertisers all they need to do is have https resolve to an SSL version of their ads - they don't even need to complicate things with a forced http to htps redirect so doesn't even affect their sites if they are solely http non-https based.
     
  11. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    4:53 PM
    It is not only Google Adsense. OpenX, Sovrn, Gamut, Rubicon... all of the major players have this problem. :(
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    4:53 PM
  14. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @BamaStangGuy might be back on HTTPS/SSL after June 2015 Google Online Security Blog: Ads Take a Step Towards “HTTPS Everywhere” ?

     
  16. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    Anybody using Cloudflare can be setup on CF itself :)
    upload_2015-6-5_11-38-4.png
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    be careful with HSTS and cloudflare once enabled it can stay as long as max-age in users browsers even if you disable it on cloudflare end. The problem comes when you disable ssl or move from cloudflare

    max-age=0 helps though if you're still on cloudflare before moving
     
  18. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    Source? :facepalm:
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    info from my SSL suppliers :)

    it applies when just moving off cloudflare with https + HSTS enabled and leaving HSTS intact with it's long max-age.
     
  20. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    6:53 AM
    Mainline
    10.2
    False I think, I have it enabled for few days this week.
    Then decided to use HTTP again as default and HTTPS an option as still I have 10-15% of XP user's :/
    I don't have any problem really.