On 20.03.2015 11:35, Daniël Mostertman wrote:
You said that in your configuration, you have the following line:
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
This makes nginx send a HSTS header to browsers that visit the website.
With this, you tell the browser to always use https:// and never use
http://, for the whole website.
If you do not disable this, any and all requests done to the site will
make sure that any requests for the next 6 months of that visit (you set
it to 6 months), will always, no matter what the user or redirect
types/does, use https://.
If you want to avoid this behaviour, you should first reduce the
duration of the header (max-age=) to 1 second, so that browsers will
reduce the remaining time to 1 second.
Then disable it after a few days/a week, depending on how long you think
users take to return to your website.
HSTS is good thing and should not be disabled.
if you need http only for some uri - better create separate server,
on different server_name, which works only on http, and leave https
server for all rest https uri. for example:
server {
listen 443 ssl;
server_name www.example.com;
# HSTS (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
... # HTTPS-only
}
server {
listen 80;
server_name www.example.com;
location / { return 301 https://www.example.com$request_uri; }
}
server {
listen 80;
server_name example.com;
location / { return 301 https://www.example.com$request_uri; }
location = /mobile/PayOnlyResult.do {
... # HTTP-only
}
location = /kor/tel.do {
... # HTTP-only
}
}
www.example.com - HTTPS-only, example.com - HTTP-only.
--
Best regards,
Gena
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
