Main site https, subdomain http

Bhooks · September 24, 2019, 6:15am

I know there have been several topics about this, but I just can’t make it work:

“A” record example.com to IP
“A” record nohttps.example.com to same IP
both proxied.
Encryption full (strict)
Page rule “nohttps.example.com/DirectDownload/*” --> SSL OFF

This works fine after clearing the browser & HSTS cache. When I visit e.g. https://nohttps.example.com/DirectDownload/helloworld I get redirected to http. But after visiting my main site, I get a redirect loop on this same url from HSTS trying to bring me onto https.

So what I’m probably looking for is a way to tell cloudflare to exclude “nohttps.example.com/DirectDownload/*” (or the subdomain alone, I don’t care) from its hosts. How can I do that?

Thanks for your help!

sandro · September 24, 2019, 7:56am

Is the following off?

If not, it will instruct the browser to always use HTTPS.

Generally, you should avoid HSTS if you still plan to use HTTP for certain hosts.

Bhooks · September 24, 2019, 6:23am

Hi sandro, thanks for your answer!
I don’t think I have it even enabled…

Oh, I wasn’t aware of that. Why should I avoid hsts if there’s even a setting to exclude subdomains…? Do you happen to have a link I can read?

sandro · September 24, 2019, 7:54am

Didnt you just say HSTS was bringing you back onto HTTPS?

The page rule configures how Cloudflare connects to your origin for that particular host (and whether it redirects HTTPS to HTTP), not what the browser does.

What about the Always-use-HTTPS setting?

Can you post a screenshot of your page rules and of your Crypto screen?

Bhooks · September 24, 2019, 7:56am

Yes I did. And I am just as confused as you are, haha.
So: All I see is a redirect loop with 301 https->http (server: cloudflare, which is as expected) and 307 http->https (hsts):

It clearly says it.

So if it’s not cloudflare… and it’s also not asp.net core (I commented everything out that touches hsts)… then it’s nginx?

add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;

Yep

So, solution found! BUT:
I still don’t understand this sentence:

But I have a feeling that I should.
So let’s say I would leave this hsts setting in nginx and just remove the includeSubdomains part. What’s bad about this?

Thanks, always eager to learn!

sandro · September 24, 2019, 6:52am

In that case it should work, but HSTS always is tricky, especially if you do plan to use HTTP. You need to exactly know what you are doing when using HSTS, otherwise you might have an inaccessible site.

Bhooks · September 24, 2019, 6:56am

Hmm well I have other subdomains where I’d welcome hsts, such as images.example.com. Yeah, it’s going to be tricky. I mean, I can still just use hsts with a much shorter duration, and won’t preload it (also simply because I wouldn’t fulfill the requirements).
Should I be concerned about hsts affecting my subdomains? Or, even better, can I select which subdomains should apply hsts and which ones shouldn’t?

sandro · September 24, 2019, 6:58am

AFAIK this is not possible. If you specify “includeSubDomains” it will be applied to all.

Bhooks · September 24, 2019, 7:53am

Alright. Well, thanks for your time sandro! Very much appreciated!

system · October 24, 2019, 6:15am

This topic was automatically closed after 30 days. New replies are no longer allowed.