Unable to stop HTTPS Rewrite

I have disabled the option for automatic URL rewriting. I have FULL SSL mode on, but a subdomain that does not require or use SSL. How can I get the url to stop being rewritten and redirected from http to https for a proxied subdomain set by CNAME?

For starters, don’t use Full, as that’s insecure. You need Full Strict.

As for the rewrite, just make sure “Always use HTTPS” is not enabled, and Cloudflare should not redirect to HTTPS. Of course, HSTS should not be enabled either.

1 Like

I have confirmed “Always use HTTPS” is disabled and HSTS is Disabled but the URL continues to be rewritten to HTTPS.

What’s the domain?

Are you testing using curl or a browser? Keep in mind that browsers cache redirects. Also is there a specific reason you can’t just grey-cloud the DNS entry for that subdomain? Do you absolutely need it proxying through Cloudflare?

Automatic HTTPS Rewrites is also disabled (but. it was previously enabled if there is a latency in the setting change taking effective > 30 minutes)

HTTPS rewrites won’t send a redirect. Have you tried a different browser?

But again, what’s the domain?

I don’t need proxying on no, I can grey it out.

staging.alberto.app

.app is by default HSTS. So browsers will always use HTTPS.

HTTP requests get a 200 straight away.

$ curl -I http://staging.alberto.app
HTTP/1.1 200 OK

Same behavior in Brave and Safari

Sure, because they follow HSTS, but it’s not a redirect.

so the .app is the culprit, as you have pointed out ping and curl are fine.

FYI it works in Tor browser (which ignores HSTS), there are probably other HSTS-ignoring browsers out there if you’re desperate, but if you want it to be accessible over HTTP to the general public you’ll need to use a different TLD

Right, all .app domains use HSTS by default.

Do set Full Strict, however.

I will be, thank you all for your help!

for reference here are all the TLDs that use forced HSTS: List of top-level domains (TLDs) that require HTTPS connections, like .dev - Server Fault

.app and .dev being the most notable ones

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.