Join the community today
Become a Member

SSL How to remove SSL 301 permanent redirect ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 4, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    max-age set when HSTS enabled ?
     
  2. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    Yes, 6 months as maximum on Cloudflare.
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Did you at all clear browser caches/reboot system on your end between switching on/off HSTS and https ? That would of cleared it for you but maybe not visitors.
     
  4. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    No I didn't clear browser cache (Intended to test as if I'm normal user/visitor).
    I have open 3 browser's to test if it will not messed up things between switching.
    I even test it on my phone 3 browser before and after still without clearing browser cache.
     
  5. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Also you using Cloudflare full strict SSL or free flexible SSL ? The HSTS issue only applies to free/flexible SSL as it uses Cloudflare's own internal CA certificate so it's untrusted in visitors browsers. Whereas Full Strict presents visitors with your origin's SSL cert CA for checking
    strange then.. could mean HSTS ain't working right on Cloudflare
     
  6. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    Full SSL.
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you have to wonder if HSTS is working on Cloudflare then as it's not meant to do that - browser should see HSTS and max-age and respect if for max-age time Enforce Web Policy with HTTP Strict Transport Security (HSTS)

     
  8. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ooh found that Chrome can delete HSTS cache/domains via chrome://net-internals/#hsts and Opera opera://net-internals/#hsts

    upload_2015-6-5_18-20-12.png
     
  9. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    Maybe you forgot, I have HTTPS still open, not redirected back to HTTP :)
    Just HTTP as my forum default URL now, and HTTPS is still open for those who want.
     
  10. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ah maybe why
     
  11. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    And to add, when I try to forced to redirected back all request to HTTP only with 301 on my nginx config.
    All browser's still works but Chrome has redirect loop, not sure if it's a problem or my browser still cache cloudflare old HSTS ( I don't want to clear any cache to simulate normal visitors :D).
    So in order to fix something like that I open up HTTPS and leave it as option :)
    Don't have any complains until now :).
     
  12. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah leaving HTTPS accessible but without forced redirect to HTTPS is a nice work around
     
  13. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    :D
     
  14. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
  15. eva2000

    eva2000 Administrator Staff Member

    42,777
    9,682
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,940
    Local Time:
    3:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    guess they're still no ready over at Google ?
     
  16. rdan

    rdan Well-Known Member

    4,788
    1,149
    113
    May 25, 2014
    Ratings:
    +1,720
    Local Time:
    1:17 AM
    Mainline
    10.2
    Looks like.
    RPM and CPC drop a lot after switching to HTTPS.
     
  17. Chris

    Chris Premium Member Premium Member

    44
    9
    8
    Feb 27, 2015
    Ratings:
    +13
    Local Time:
    12:17 PM
    1.7
    10
    Just wanted to follow up...a lot of ads break my SSL...and don't display which is incredibly sad.
    I like the idea of forcing http, and allowing https, have you seen any backlash?