I have a website which I am currently working on - it opens and works good. Earlier I used to directly point it to my IP, so it handled well on older browsers - HTTP on old browsers, HTTPS on new browsers - simple nginx logic I copied from the internet. (If new browser, redirect to HTTPS port 443, else handle on port 80)
Today, I decided to move to Cloudflare (and therefore my condition in nginx was unusable now as cloudflare is taking control). Everything still works, but now older browsers running on older OSes like Windows 98, XP, etc. can’t access the website. Surprisingly, macOS works - Mac OS 9 and Mac OS X (Earlier versions) both! I don’t need SSL, I just want my website to be accessible by these browsers, even on HTTP - while still keeping SSL redirects on new browsers.
I have Automatic HTTPS Rewrites On, Universal SSL On, Always Use HTTPS Off, Min. TLS version 1.2, Opportunistic Encryption On.
How do I make my website open on older browsers again, please?
You could set a configuration rule to turn SSL off if the user agent matches a Windows 98 user agent. From your website’s Cloudflare dashboard Rules -> Configuration Rules.
You could either do something like this and put the exact user agent (I just googled Windows 98 user agent so replace with whatever would be accurate). Or you could also do User Agent contains Windows 98 etc. Then to add multiple add the OR statement and do User Agent equals/contains MacOS xxxx etc.
This will disable Cloudflare’s SSL when requests match the criteria. I assume you are aware of the insecure practices of not using a SSL and simply want the website to load on your older devices, however just keep in mind all traffic will be unencrypted.
No, the purpose of using Cloudflare is not defeated as I am still using HTTPS on modern websites and there’s nothing wrong with keeping your site backwards compatible. Also I like caching of Cloudflare, so no I won’t turn A records to DNS only and my settings make perfect sense as they are. I just want the older Windows based browsers unblocked. I don’t think you understand the question quite well.
I tried using this by creating a page rule. It does not work. One more thing to add here is that on older browsers, it just says “Server Not Found”. I don’t think it is a SSL problem as the site loads without SSL on Mac OS 9 and Mac OS X, but not on Windows 98 or XP. Again, it loads fine on modern browsers. But on Windows 98 and XP, it gives server not found in Netscape and Firefox respectively.
It wouldn’t be the DNS that’s setup on the Windows XP machine possibly? That’s the only thing I could think of that would be throwing a “Server Not Found”. Your DNS is resolving on my machine fine and nameservers have propagated. Could you try setting the DNS on the Windows XP machine to 1.1.1.1 or 8.8.8.8 (google dns) and try?
Just to see if you can get it to work. Not sure how you could verify unless you have someone that has a XP machine outside your net if you want to be 100% sure its working on all devices if changing the DNS works.
Anyway let us know how you go, if I get the time I might fire up a XP virtual machine and see if I can get it to work, interested to see if we can get it going. All the best
Sorry, it took me some time to reply. But, you were exactly right. I setup my DNS on both Windows XP and Windows 98 and checked with multiple browsers on each operating system, all worked good, Thank you very much.
There are a couple other ways you can detect if a user can use HTTPS and redirect only those that can use it.
I like the idea of redirecting specific clients, but it won’t necessarily hit all OS/browser combinations.
Another approach is a JavaScript redirect to HTTPS, with the script served from HTTPS only. If a browser can connect to your specific HTTPS will they get redirected, if not, they’ll never see the redirect script. Not everyone has JavaScript enabled, but you’ll catch most.
Another is to add HSTS headers either to the script mentioned above or even just a tracking-pixel type image that loads from HTTPS when the site is on HTTP. If successful the browser will note HSTS and force all future connections over to HTTPS regardless of what happens, but if that connection never happens they’ll be fine on HTTP. HSTS is only supported by reasonably modern browsers, but it is not impossible to configure one to support TLS 1.0 but not 1.1 or newer. Stupid, yes, but possible, especially someone stuck behind some MITM interception box from 300 years ago.
I’m not sure it matters enough to put in the effort for these types of things.
DNS only.
