I want to keep http connection, but forced to https. Why?


#1

I am running these 3 sites under coupe-baguette.com

As you can see the first one is using https, but the others are using http because they were running on tumblr.com and thebase.in .

They were running fine several hours ago, but now I cannot open the http ones. For example, when I open http://blog.coupe-baguette.com , I am getting the following error page:

It shows the URL https://blog.coupe-baguette.com , so it seems to be redirected from http to https, but I have no idea why. I did not change any settings recently.

My Crypt setting is like this:

I have been using Cloudflare’s SSL since several month ago.

Is there anyone who can fix this problem? I would appreciate any help.


#2

It doesn’t appear that traffic is going through Cloudflare. The responses in public DNS returns the origin, not the address of a Cloudflare proxy.

You may want to check to see if the sites were inadvertently gray clouded in the DNS portion of your admin console if they were intended to go through Cloudflare.


#3

I found this error is not related to Cloudflare.

I updated the site https://coupe-baguette.com from Rails 5.0 to 5.1. In this update, Rails starts to add HSTS header with includeSubDomains option.

So http://blog.coupe-baguette.com and http://shop.coupe-baguette.com were forced to use https connection. This is the root cause.


#4

HSTS, it’s stringent settings ever for HTTPS. It instructs the browser to serve request only in HTTPS for particular max-age value. To take down, you may keep max-age=0


#5

You probably want to take that preload directive out as well. Otherwise someone could easily request that your site is added to the HSTS preload list and then you’d be in real trouble. The only check prior to addition once requested is the presence of that header as that implies the webmasters consent (although other minor config mishaps could prevent the site’s inclusion but you’re just replying on luck if you think that would save you).