1.1.1.1 incorrectly forcing https for entries in local hosts file

After Comcrashed has had several major DNS outages over the past weeks I switched DNS on my LAN router to use 1.1.1.1 and 1.0.0.1. This works fine for external sites, but now when I try to load (e.g.) dev.mynewdomain.com in my local browser (configured on my local computer in the hosts file and using Apache vhosts) the browser (chrome, others) forces the switch to https:// in the url bar and of course this is unusable unless I set up a local self signed ssl which is completely useless and a major waste of time when dealing with literally hundreds of local projects.

How to fix? Thanks.

Please do not suggest setting up a certificate this is not a practical or useful solution. I am looking for a way to stop this unnecessary and unwanted redirect.

Setting up a certificate for localhost is one way to do it, you can disable the ‘untrusted cert’ warnings in Chrome via chrome://flags/#allow-insecure-localhost and use a single bad cert across all of your local domains.

Aside from that, 1.1.1.1/Cloudflare isn’t the reason your browser is forced to HTTPS. Rather, this happens either because you have HSTS set up with includeSubdomains, or because you at one point loaded HTTPS on that subdomain (Browsers really want to prevent HTTP downgrades).

If you want to see if HSTS is the problem, go to chrome://net-internals/#hsts and clear both the root domain (example.com) and the subdomain (dev.example.com) and see it it works, without going to the root. This won’t work if you’ve submitted the website via hstspreload.org.

4 Likes

It’s definitely not HSTS, tried all that already. My Cloudflare SSL settings are configured to force HTTPS (“Always Use HTTPS”) for the shared Cloudflare Universal SSL certificate on *.mynewdomain.com and mynewdomain.com. This works fine as long as I’m not using the 1.1.1.1 DNS and I am able to override for dev.mydomain.com with a hosts file entry - but for some reason with the 1.1.1.1 DNS (set on the local router) it will process the forced https and override the local hosts directive.