This works fine after clearing the browser & HSTS cache. When I visit e.g. https://nohttps.example.com/DirectDownload/helloworld I get redirected to http. But after visiting my main site, I get a redirect loop on this same url from HSTS trying to bring me onto https.
So what I’m probably looking for is a way to tell cloudflare to exclude “nohttps.example.com/DirectDownload/*” (or the subdomain alone, I don’t care) from its hosts. How can I do that?
Didnt you just say HSTS was bringing you back onto HTTPS?
The page rule configures how Cloudflare connects to your origin for that particular host (and whether it redirects HTTPS to HTTP), not what the browser does.
What about the Always-use-HTTPS setting?
Can you post a screenshot of your page rules and of your Crypto screen?
Yes I did. And I am just as confused as you are, haha.
So: All I see is a redirect loop with 301 https->http (server: cloudflare, which is as expected) and 307 http->https (hsts):
So, solution found! BUT:
I still don’t understand this sentence:
But I have a feeling that I should.
So let’s say I would leave this hsts setting in nginx and just remove the includeSubdomains part. What’s bad about this?
In that case it should work, but HSTS always is tricky, especially if you do plan to use HTTP. You need to exactly know what you are doing when using HSTS, otherwise you might have an inaccessible site.
Hmm well I have other subdomains where I’d welcome hsts, such as images.example.com. Yeah, it’s going to be tricky. I mean, I can still just use hsts with a much shorter duration, and won’t preload it (also simply because I wouldn’t fulfill the requirements).
Should I be concerned about hsts affecting my subdomains? Or, even better, can I select which subdomains should apply hsts and which ones shouldn’t?
