3

I have two site on two different web server(NGINX & nodejs) on my CentOS server.
in my NGINX config, I have set http://example.com to be redirected to https://example.com permanently.
on the other side, the URL http://example.com:8080 are handle by nodejs and is not redirected to anywhere.

Scenario

When I request http://example.com in my browser (Chrome, firefox or safari), it's redirected to https://example.com and this is OK. when I enter http://example.com:8080, it's also redirected to https://example.com:8080 and this is not correct.

When I clear browser cache, the URL http://example.com:8080 worked correctly but after entring http://example.com, the URL http://example.com:8080 redirected again to HTTPS. Can anyone help me about this issue?

Ghasem Pahlavan
  • 661
  • 9
  • 20

1 Answers1

2

You probably experience what is defined by HTTP Strict Transport Security (HSTS) specification.

You need to check response of the https://example.com request. It probably contains Strict-Transport-Security header which instructs browser to rewrite all URIs of example.com domain requests to use secure scheme. Relevant excerpt from 8.3. URI Loading and Port Mapping section of HTTP Strict Transport Security (HSTS) specification:

The UA MUST replace the URI scheme with "https" [RFC2818], and if the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or

if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise,

if the URI does not contain an explicit port component, the UA MUST NOT add one.

NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host.

NOTE: In the case where an explicit port is provided (and to a lesser extent with subdomains), it is reasonably likely that there is actually an HTTP (i.e., non-secure) server running on the specified port and that an HTTPS request will thus fail (see item 6 in Appendix A ("Design Decision Notes")).

For more information check Strict-Transport-Security MDN page.

Community
  • 1
  • 1
Leonid Vasilev
  • 11,910
  • 4
  • 36
  • 50
  • Wow it worked. thanks a lot @Leonid. I removed `add_header Strict-Transport-Security max-age=15768000` from *NGINX* and it worked. – Ghasem Pahlavan Jan 21 '17 at 09:28