-1

I am a bit new to this so pls bear with me ... in the company policy, all machines in the domain are forced to use SSL (CGP forces this in Chrome).. however it works for some sites and for some it's not applied ... that confuses me

I have this server - let's say 1.2.3.4 (IP) with the DNS name zipkin.company.com .. the app is running on the port 9411 ...

when I try to access the app via "zipkin.company.com:9411" in Chrome, it automatically redirects to https:// protocol and since the app is not running on that protocol (ssl is not enabled there) it fails ....

however, when I try to access the app via IP (1.2.3.4:9411) I can access it without any problem ...

why the DNS (not really DNS but the domain itself) is forcing HTTPS in Chrome? When I use another browser (in which my company is not enforcing the HTTPS -> Brave Browser) it works great even with the DNS name directly ....

So it seems it's something in the Chrome.. is there any way I can bypass that? Disabling it in the "chrome://net-internals/#hsts" doesn't work for I guess it's being overridden by the company policy upon next logon .. moreover, we cannot force all users (thousands) to do this :) that's not feasible

any guess what I can do? thx

Mr.P
  • 109
  • 9
  • 1
    That's not a DNS. DNS can't possibly force any "redirects". That's probably because Chrome developers think everybody must have HTTPS. They don't accept a "no" answer. That's life. Configure a HTTPS to fix that. – Nikita Kipriyanov Jan 18 '21 at 13:24
  • Please check detailed events in Chrome Developer tools Network tab to see which entity makes the redirect to HTTPS. – Tero Kilkanen Jan 18 '21 at 19:58
  • @NikitaKipriyanov I know it's not DNS .. wrong term used .. what made me confused is why IP address is not being forwarded to HTTPS but the domain name is .. I blame Chrome too :( – Mr.P Jan 19 '21 at 13:58
  • @TeroKilkanen lemme check that – Mr.P Jan 19 '21 at 13:59
  • @TeroKilkanen hi .. I checked that .. when accessing via IP:9411 it redirect to the application home path -> IP:9411/zipkin/ which is ok .. and in the network (under chrome dev tools) I see "zipkin/" -> HTTP 200 ... however, when accessing by domain name zipkin.company.com:9411 it again redirect to the home path -> zipkin.homecredit.ph:9411/zipkin/ but now the network for this path says "zipkin/" -> HTTP 304 and won't load – Mr.P Jan 21 '21 at 06:41

2 Answers2

0

The DNS does not work in that way. The DNS is only able to give you an IP address or cname as reply.

The protocol change is matter of webserver reply. Try checking the DNS reply for the domain: zipkin.company.com

Koma
  • 1
  • 1
  • In other words, the redirect is probably configured in your web server. – tripleee Jan 18 '21 at 09:37
  • well the catch is that the application is running on its own webserver (armeria) .. bec zipkin is a java application and when started, you can access it's UI via that port ... there is no apache, nginx, .... why the IP does not forward but domain name does? On top of that, zipkin is not configured to run in SSL mode - so it doesn't make sense that it would do the redirect.... what actually goes against your proposition, how come other browsers do NOT force the SSL - only chrome does? meaning: "http://zipkin.company.com" works great in non-chrome browsers but in chrome it redirects to SSL – Mr.P Jan 18 '21 at 09:43
  • @Koma I know DNS only translates to IP .. what I am trying to graps is that how come http://1.2.3.4:9411 works fine in all browsers ... including Chrome ... but http://zipkin.company.com:9411 does not work in Chrome (it tries to redirect it to HTTPS) but works fine in other browsers and gets you to the app as expected – Mr.P Jan 18 '21 at 09:49
  • As this is a corporate administered browser (as I understand), there may be some setting or extension like "HTTPS Everywhere" set in Chrome to force switching all HTTP URLs to HTTPS. Either by error or by design, it may force it only for domain names, but not for IP addresses. – raj Jan 19 '21 at 16:11
  • Also look at this thread on SuperUser: https://superuser.com/questions/565409/how-to-stop-an-automatic-redirect-from-http-to-https-in-chrome - maybe omething there will help you... – raj Jan 19 '21 at 16:22
  • thx @raj I checked that before too but that doesn't help for the custom HSTS gets overridden by the CGP :( – Mr.P Jan 20 '21 at 18:08
  • What is CGP, as I couldn't find the explanation of this acronym anywhere? Is it something that enforces some settings on Chrome? Well, then it may be just that enforcing switching HTTP to HTTPS... – raj Jan 20 '21 at 18:09
0

Looks like your company policy enforces automatic switch of http:// URLs to https:// in Chrome.

Either because of bug in the code that does that, or by design, the switch occurs only when you use a domain address in the URL and not when you use the IP address.

If browser other than Chrome (that are not managed by your company) behave OK - as you write - then the solution is simple: use another browser.

If that's not possible, and if you have access to the machine zipkin.company.com and if you are OK with accessing the application on a different port (say, 9412 instead of 9411), then install stunnel on that machine and use it to create SSL-enabled port 9412 which will then forward the unencrypted traffic to port 9411.

raj
  • 542
  • 2
  • 8