Every subdomain is redirecting to HTTPS


#1

Hello,

So I enabled SSL Cloudflare for my website, everything was working perfect but today I wanted to try something and I noticed HTTPS was downmain and sub domains force http. And I turned off Apply HSTS policy to subdomains (includeSubDomains). So what to do?

Basically I only want HTTPS forced on specific sub domains, not on every one. I use Nginx. How to do that?

Thanks in advance.


#2

Just to clarify, you turned off includeSubDomains now, but it was on previously?

Browsers that have previously visited your site while includeSubDomains was enabled will remember this setting and force HTTPS for subdomains (at least until the HSTS record expires, typically a few months). The only way to get around this is for clients to visit your main domain while includeSubDomains is disabled - this will stop your subdomains from being forced to use HTTPS (unless they also have a HSTS header that’s previously been cached).

You might also want to verify that your domain wasn’t added to the HSTS preload list, something that CloudFlare can do for you (though they show a number of warnings). That’s a list of domains baked into various browser binaries which should never be accessible via anything other than HTTPS. If your domain is on that list, you won’t be able to get around HSTS at all. There’s a removal process (see link above), but it might take a couple of months to push that as an update to all browsers.


#3

@pfg thank you so much for replying me. I can’t wait until that day! But I will :slight_smile:


#4

First remove CloudFlare from the equation + verify certs are working.

CloudFlare usage tends to break SSL many times.

When I take on a new hosting client, first tech I strip out is CloudFlare (or any other CDNs) which resolves many difficult to diagnose problems.

As for performance, native Apache + libapache2-mod-php (Debian/Ubuntu) easily tunes to 5000+ reqs/second throughput for WordPress sites. For static media (if you have many large videos/audios/images, setup your own cookie-less CDN on some other host record like - http://media.example.com + all will be well.


#5

Thank you for your help.

I’ve removed cloudflare and + ssl. And my site has so many NET::ERR_CERT_AUTHORITY_INVALID. Maybe I didn’t understood about nginx + wordpress. Because I installed vpssim for my site


#6

When you’re connected to CloudFlare, they use their own wildcard SSL certs for all domains.

Once your rid of CloudFlare, add in Letsencrypt cert to your virtual host definition.

Keep in mind NGINX produces another layer of problems. Strip that out too.

Be sure you change your Apache port from 8080 (usual port number when NGINX runs)
to port 80 + deinstall all NGINX packages.

Rule of thumb for debugging, strip out all cruft so Apache connects with users…

Cruft meaning…

Hardware - CDNs + Load Balancers + DDOS mitigators.

Software - NGINX, Varnish, Squid, HAProxy.

Once you have a working Apache, better to tune LAMP, than add cruft.


#7

@omgomo, did you get a certificate from Let’s Encrypt and install it on your site? If so, how did you do that?

Could you tell us what your domain is?


#8

@schoen Oh, I’m using SSL from free Cloudflare.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.