On 20.03.2015 13:13, Daniël Mostertman wrote:
You'll _never_ reach http request since you set HSTS configuration :)
If you still want some http request on your web server, disable your
HSTS directive. (see Daniel statement on previous email).
1. HSTS enabled only on domain name www.example.com
on domain name example.com - no HSTS, no https and no redirects.
2. disabling HSTS is bad idea.
HSTS should be enabled on https servers.
3. please do not top post.
thank you.
1. Any website will want www. and non-www to show the same website. This
can not be done in your configuration.
http://example.com and http://www.example.com show the same site:
server {
listen 80;
server_name example.com;
location / { return 301 https://www.example.com$request_uri; }
location = /mobile/PayOnlyResult.do {
... # HTTP-only
}
location = /kor/tel.do {
... # HTTP-only
}
}
exception are done only for two uri, which are HTTP-only.
2. If any user goes to https://example.com/ instead of
https://www.example.com/ it goes to the default website on 443, being
www.example.com in this case. If that certificate is valid for
example.com, the connection is built, and the HSTS is re-set in any
browser for example.com and you will end up on SSL time and time again.
No problem,
server {
listen 443 default_server;
server_name example.com;
location / { return 301 https://www.example.com$request_uri; }
location = /mobile/PayOnlyResult.do {
return 301 http://example.com$request_uri;
}
location = /kor/tel.do {
return 301 http://example.com$request_uri;
}
}
server {
listen 443 ssl;
server_name www.example.com;
# HSTS (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
... # HTTPS-only
}
HTTPS-site example.com is default site and does not have HSTS.
3. I never said I thought it _should_ be disabled. In fact, I think
https:// should always be used if possible, and http:// should be
avoided at pretty much all times.
Agree, I don't know why topic starter need such strange configuration.
4. HSTS does not _need_ to be enabled for secure connections to work,
it's a "very nice to have". But not mandatory. In his case, it probably
gives more trouble than it's worth. However, I do agree that it
_should_, like you said. But again, in his configuration that might not
be possible to have the best possible solution for what's being wished for.
I can't agree with you what disabling HSTS
on HTTPS-sites is the best possible way.
My way of solution may be more simple, if for HTTP-only server
use other name, for example, public.example.com
or legacy.example.com or static.example.com
or something like this.
In this case, www.example.com and example.com
can be both HTTPS-sites, without exceptions.
--
Best regards,
Gena
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
