Allow HTTP only on a subdomain

I am trying to configure Azure AD Certificate Based Authentication (CBA). It requires our CRL to be available publicly over HTTP. HSTS is enabled and our domain is HSTS preloaded. I wanted to leverage Tunnels to connect and serve the CRL at http://pki.domain.com/CRL.crl.

Can I do this with a page rule or something similar to allow this one page to be loaded via HTTP (if so, any guidance)? Any concerns with creating Tunnel private URL to existing internal CRL location?

Does your HSTS header include subdomains? If so, then there’s really nothing you can do here unfortunately, and you’ll have to find a way to work solely with HTTPS.

If it doesn’t include subdomains, then you should be able to access that content over HTTP fine, as long as you don’t have anything configured to automatically redirect from HTTP to HTTPS.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.