Main site https, subdomain http

I know there have been several topics about this, but I just can’t make it work:

This works fine after clearing the browser & HSTS cache. When I visit e.g. https://nohttps.example.com/DirectDownload/helloworld I get redirected to http. But after visiting my main site, I get a redirect loop on this same url from HSTS trying to bring me onto https.

So what I’m probably looking for is a way to tell cloudflare to exclude “nohttps.example.com/DirectDownload/*” (or the subdomain alone, I don’t care) from its hosts. How can I do that?

Thanks for your help!

Is the following off?

image

If not, it will instruct the browser to always use HTTPS.

Generally, you should avoid HSTS if you still plan to use HTTP for certain hosts.

Hi sandro, thanks for your answer!
I don’t think I have it even enabled…

Oh, I wasn’t aware of that. Why should I avoid hsts if there’s even a setting to exclude subdomains…? Do you happen to have a link I can read?

Didnt you just say HSTS was bringing you back onto HTTPS?

The page rule configures how Cloudflare connects to your origin for that particular host (and whether it redirects HTTPS to HTTP), not what the browser does.

What about the Always-use-HTTPS setting?

Can you post a screenshot of your page rules and of your Crypto screen?

1 Like

Yes I did. And I am just as confused as you are, haha.
So: All I see is a redirect loop with 301 https->http (server: cloudflare, which is as expected) and 307 http->https (hsts):


It clearly says it.

So if it’s not cloudflare… and it’s also not asp.net core (I commented everything out that touches hsts)… then it’s nginx?

add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;

Yep :sweat_smile:

So, solution found! BUT:
I still don’t understand this sentence:

But I have a feeling that I should.
So let’s say I would leave this hsts setting in nginx and just remove the includeSubdomains part. What’s bad about this?

Thanks, always eager to learn!

In that case it should work, but HSTS always is tricky, especially if you do plan to use HTTP. You need to exactly know what you are doing when using HSTS, otherwise you might have an inaccessible site.

1 Like

Hmm well I have other subdomains where I’d welcome hsts, such as images.example.com. Yeah, it’s going to be tricky. I mean, I can still just use hsts with a much shorter duration, and won’t preload it (also simply because I wouldn’t fulfill the requirements).
Should I be concerned about hsts affecting my subdomains? Or, even better, can I select which subdomains should apply hsts and which ones shouldn’t?

AFAIK this is not possible. If you specify “includeSubDomains” it will be applied to all.

1 Like

Alright. Well, thanks for your time sandro! Very much appreciated!

This topic was automatically closed after 30 days. New replies are no longer allowed.