Gena Makhomed schreef op 20-3-2015 om 12:05:
On 20.03.2015 12:36, Dewangga Bachrul Alam wrote:
You'll _never_ reach http request since you set HSTS configuration :)
If you still want some http request on your web server, disable your
HSTS directive. (see Daniel statement on previous email).
1. HSTS enabled only on domain name www.example.com
on domain name example.com - no HSTS, no https and no redirects.
2. disabling HSTS is bad idea.
HSTS should be enabled on https servers.
3. please do not top post.
thank you.
1. Any website will want www. and non-www to show the same website. This
can not be done in your configuration.
2. If any user goes to https://example.com/ instead of
https://www.example.com/ it goes to the default website on 443, being
www.example.com in this case. If that certificate is valid for
example.com, the connection is built, and the HSTS is re-set in any
browser for example.com and you will end up on SSL time and time again.
3. I never said I thought it _should_ be disabled. In fact, I think
https:// should always be used if possible, and http:// should be
avoided at pretty much all times.
4. HSTS does not _need_ to be enabled for secure connections to work,
it's a "very nice to have". But not mandatory. In his case, it probably
gives more trouble than it's worth. However, I do agree that it
_should_, like you said. But again, in his configuration that might not
be possible to have the best possible solution for what's being wished for.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
