Always redirect to HTTPS


#1

Hello all,

First of all i got a Ubuntu Server 14.04 with LetsEncrypt running. First time installed the certicates i choose the option Secure to put all the traffic into https://.

But now for some reason we have to test something without https, so first i did was removing the HTTPs lines in de .conf file from Apache2. But this didn’t work.

After that i tried to reconfigure on Easy mode for HTTP and HTTPS. But that doesnt seems the answer also. Also i tried to delete all the config files and even delete the Letsencrypt folder also. Created new .conf files but still it keeps the problem their.

Also its a Drupal website. Is their maybe something in Drupal that force the 443 port.


#2

Hello @Kobject,

Seems like you added the HSTS header to your apache conf. This directive tells the browser visiting your site that for the max age configured in the directive, the browser should access your site always using https. So the “problem” is in your browser right now.

In your apache conf you should have/had something like this:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

Well, you have removed all your conf, even letsencrypt certs (I hope you have backups), so at this point you have three options:

1.- Remove your browser’s cache and try again to access your http site.

2.- Use a new and fresh browser so this browser doesn’t know yet about your hsts header and you could visit your site using http.

3.- Recover all the apache and letsencrypt files that you removed, edit apache conf and change the header directive using max-age=0, something like this:
Header always set Strict-Transport-Security "max-age=0; includeSubdomains; preload"

Reload or restart apache and visit again your site, once visited the browser will ignore the htst header and you could access your site using only http.

Note: I don’t use Drupal so this issue could also be related to some redirect/rewrite performed in your drupal conf… that’s something that you should know.

Good luck.
sahsanu


#3

First thanks for your fast reply,

I couldn’t find the line in my /etc/apache2/apache.conf file. Can this line be in one of my mods insalled for Apache in the mods-enabled folder?

I know their is a kind of ssl.conf file that its created by Letsencrypt.


#4

That line should be in your virtualhost conf, usually inside sites-enabled dir, anyway, you could try to find it:

grep -ri 'Strict-Transport-Security' /etc/apache2/

But if you removed the conf files created by letsencrypt could not be there…


#5

I already reinstalled and configured LetsEncrypt agian. Because i cant acces the website otherwise. But the command u give me doesn’t give me any reply.


#6

If you get no response then you have no files in your conf using Strict-Transport-Security header and you should recreate them to change the max-age (that’s the reason you should backup before remove any file :wink: ).

Anyway, did you try to clean your browser’s cache or/and a new and fresh browser just to be sure that the problem is actually the HTST header?.


#7

Can u tell in wich i file i have to create them, in the vhost?


#8

Well, I don’t know what is your conf, but you should have a file similar to youdomain.tld.conf in /etc/apache2/sites-enabled/ dir and you should add the part for https, something like this:

<VirtualHost *:443>
    DocumentRoot /path/to/your/site/documentroot
    ServerName yourdomain.tld
    ServerAlias www.yourdomain.tld
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/yourdomain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.tld/privkey.pem
    Header always set Strict-Transport-Security "max-age=0"
</VirtualHost>

Keep in mind that you should have the certs available in /etc/letsencrypt/live/yourdomain.tld/ or apache will refuse to start.


#9

Invalid command ‘Header’, perhaps misspelled or defined by a module not included in the server configuration

i got this back…


#10

That’s because you have not enabled header module:

a2enmod headers

After that you should restart apache.

But if you are receiving this error and you didn’t touch your apache conf (apart from remove your virtualhost config file) then it is not possible that your problem could be the hsts header or it would have failed before…

Please, try to access your site with a fresh browser or tell me what is your domain so I can check whether it is being redirected to https site.


#11

I got the following error now:

Bad Request
Your browser sent a request that this server could not understand.

Reason: You’re speaking plain HTTP to an SSL-enabled server port.

Instead use the HTTPS scheme to access this URL, please.


#12

Ok, I checked your site and it is working fine in https mode (but I can’t see the header with max-age=0). You have a misconfiguration regarding your virtualhost listening in port 80. You are activating ssl in port 80 and you shouldn’t.

Post your virtualhost conf file and I’ll check it.

Edit: I mean that I can’t see the header with max-age=0


#13

See your private msg


#14

I think the redirection to HTTPS always could be resolved by:

  1. Open the folder \etc\apache2\sites-available
  2. There would be one additional file named le-redirect-domainname.conf
  3. Open the file and change the line RewriteEngine On to RewriteEngine Off