Discover Centmin Mod today
Register Now

SSL How to remove SSL 301 permanent redirect ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 4, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    I haven't done this personally myself on a live production site with https to http switch. On test site it's easy being the only visitor, just clear browser's history, cache etc. Remove SSL and reboot computer. But live production site has visitors and the SSL 301 permanent redirect is permanently cached in visitors browsers so when you remove SSL and remove the SSL 301 permanent redirect from http to https, visitors will still get redirected from http to https unless they also clear browser history, cache and reboot their systems.

    So curious how @RoldanLT did it to revert from https to http

    IIRC, you first set in your SSL Nginx vhost server context HSTS TTL value to 0 ?

    so from

    Code:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    to

    Code:
    add_header Strict-Transport-Security "max-age=0; includeSubdomains;";
    how long did you leave that in place for https connections until you removed SSL and the 301 permanent redirect from http to https ?
     
  2. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    I have it there placed since the day one I revert back from https to HTTP only.
    Until now HTTPS server block is there but with "0" ZERO:
    add_header Strict-Transport-Security "max-age=0; includeSubdomains;";
     
  3. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    My current config :)
    Code:
    server {
            listen 80;
            server_name phcorner.net;
            return 301 http://www.phcorner.net$request_uri;
    }
    
    server {
        listen 80;
        server_name www.phcorner.net;
    
            access_log off;
        log_not_found off;
        error_log /home/nginx/domains/phcorner.net/log/error.log;
        root /home/nginx/domains/phcorner.net/public;
    
        ### Start Xenforo
        location / {
        
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
        location /internal_data {
            location ~ \.(data|html|php)$ {
            add_header X-Frame-Options SAMEORIGIN;
            add_header X-Content-Type-Options nosniff;
            internal;
            }
        internal;
        }
    
            location /library {
            location ~ \.(default|html|php|txt|xml)$ {
            internal;
            }
         internal;
        }
    
        ### End Xenforo
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php_phc.conf;
        include /usr/local/nginx/conf/drop.conf;
    }
    
    server {
            listen 443 ssl spdy;
            server_name phcorner.net www.phcorner.net;
        keepalive_timeout 70;
        return 301 http://www.phcorner.net$request_uri;
    
        add_header Strict-Transport-Security "max-age=0";
        add_header X-Content-Type-Options "nosniff";
        add_header Alternate-Protocol 443:npn-spdy/3;
           
        ssl_certificate /usr/local/nginx/conf/ssl/positivessl/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/positivessl/www_phcorner_net.key;
       
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:40m;
            ssl_session_timeout 60m;
        spdy_headers_comp 5;
        ssl_buffer_size 4k;
        ssl_session_tickets on;
    
        resolver 8.8.8.8 8.8.4.4 valid=900s;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/positivessl/ssl-trusted.crt;
    
            access_log off;
        log_not_found off;
        error_log /home/nginx/domains/phcorner.net/log/error.log;
        root /home/nginx/domains/phcorner.net/public;
    
     
    ### Start Xenforo
        location / {
        
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
        location /internal_data {
            location ~ \.(data|html|php)$ {
            add_header X-Frame-Options SAMEORIGIN;
            add_header X-Content-Type-Options nosniff;
            internal;
            }
        internal;
        }
    
            location /library {
            location ~ \.(default|html|php|txt|xml)$ {
            internal;
            }
         internal;
        }
    
        ### End Xenforo
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php_phc.conf;
        include /usr/local/nginx/conf/drop.conf;
    }
     
    • Like Like x 2
    • Winner Winner x 1
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    Oh i see you permanent 301 redirected https to http in SSL vhost server context container + setup a full non-https server context container for port 80 http connections.

    how did that initial go over with your visitors ? they still needed to clear their browser caches etc ?
     
  5. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    Code:
    how did that initial go over with your visitors ? they still needed to clear their browser caches etc ?
    No, they don't need to do anything.
    They will just notice they are auto redirected back to http without any issues :)
     
    • Like Like x 1
  6. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    You can try it here for 1 day :D
    All user's will not notice the forum will be using HTTP only :D
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    nice good to know - this would be handy for folks wanting to go back from https to http :)

    I updated my SPDY SSL guide with 302 temp redirect for starters so folks can see if https is what they like. And only after they are sure should they change to 301 permanent redirects.
     
    • Like Like x 2
  8. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    have no intention on this forum.. but it's good to know :)
     
    • Like Like x 1
  9. BamaStangGuy

    BamaStangGuy Active Member

    470
    137
    43
    May 25, 2014
    Ratings:
    +180
    Local Time:
    12:03 AM
    We are about to do this for one site. The income hit is simply too much compared to any benefit SSL provides. Sad security and income can not go hand and hand.
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    Shame indeed.

    Google Adsense should provide even more incentive for advertisers to be https / SSL compliant. Maybe I don't understand the whole picture, but for advertisers all they need to do is have https resolve to an SSL version of their ads - they don't even need to complicate things with a forced http to htps redirect so doesn't even affect their sites if they are solely http non-https based.
     
  11. BamaStangGuy

    BamaStangGuy Active Member

    470
    137
    43
    May 25, 2014
    Ratings:
    +180
    Local Time:
    12:03 AM
    It is not only Google Adsense. OpenX, Sovrn, Gamut, Rubicon... all of the major players have this problem. :(
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
  13. BamaStangGuy

    BamaStangGuy Active Member

    470
    137
    43
    May 25, 2014
    Ratings:
    +180
    Local Time:
    12:03 AM
  14. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
  15. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    @BamaStangGuy might be back on HTTPS/SSL after June 2015 Google Online Security Blog: Ads Take a Step Towards “HTTPS Everywhere” ?

     
    • Like Like x 1
  16. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    Anybody using Cloudflare can be setup on CF itself :)
    upload_2015-6-5_11-38-4.png
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    be careful with HSTS and cloudflare once enabled it can stay as long as max-age in users browsers even if you disable it on cloudflare end. The problem comes when you disable ssl or move from cloudflare

    max-age=0 helps though if you're still on cloudflare before moving
     
  18. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    Source? :facepalm:
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    3:03 PM
    Nginx 1.13.x
    MariaDB 5.5
    info from my SSL suppliers :)

    it applies when just moving off cloudflare with https + HSTS enabled and leaving HSTS intact with it's long max-age.
     
  20. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 PM
    1.11
    10.2
    False I think, I have it enabled for few days this week.
    Then decided to use HTTP again as default and HTTPS an option as still I have 10-15% of XP user's :/
    I don't have any problem really.