Answer the question
In order to leave comments, you need to log in
S
S
Scuba2019-11-05 23:20:27
Scuba, 2019-11-05 23:20:27
Why do browsers still try to open https after switching to http?
Domain delegated to Yandex. A-records were registered for "Hosting1". This hosting gave free SSL, and in principle there were norms. Yesterday I decided to move to another hosting, and changed A-records to "Hosting2". There is no longer an SSL certificate, I set up a redirect via htaccess to http.
But the site opens only in incognito mode FF. In opera, regular FF, in chrome, from the phone - everywhere it tries to open on https and gives an error. Cleared cache, didn't help.
Or is it a joke that the site itself was delegated to Hosting2, but the fact that SSL has disappeared there is somehow delegated longer, or how does it all work and why is that?
I thought the problem is in htaccess, but even this construction does not work:
RewriteCond %{HTTPS} On
RewriteRule ^.*$ http://%{SERVER_NAME}%{REQUEST_URI}
RewriteCond %{HTTP:X-Forwarded-Protocol} =https
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{ENV:HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 1 answer(s)
@targetologru
Check the redirects and server response using any third party service, for example:
https://httpstatus.io/
Most likely, HSTS was used on the first server?
How the Browser Behaves
When the expiration time specified by the Strict-Transport-Security header expires, the next attempt to load the site using HTTP will be treated as normal without automatically using HTTPS.
Each time the browser receives the Strict-Transport-Security header, it updates the site's expiration time so that the site can update this information and prevent it from terminating. If you need to disable Strict-Transport-Security, set max-age to 0 (over an https connection) and it will instantly terminate the Strict-Transport-Security header, allowing access via http.
https://developer.mozilla.org/ru/docs/Web/HTTP/%D0...
You can disable HSTS on the server like this:
Nginx:
Apache (.htaccess):
Status check:
https://hstspreload.org/
Browser settings:
https://www.google.com/?q=How%20to%20clear%20hsts%...
Free SSL certificate:
https://letsencrypt.org/ en/
B
bkosun, 2019-11-05 @targetologru
But the site opens only in incognito mode FF. In opera, regular FF, in chrome, from the phone - everywhere it tries to open on https and gives an error. Cleared cache, didn't help.
Check the redirects and server response using any third party service, for example:
https://httpstatus.io/
Most likely, HSTS was used on the first server?
How the Browser Behaves
When the expiration time specified by the Strict-Transport-Security header expires, the next attempt to load the site using HTTP will be treated as normal without automatically using HTTPS.
Each time the browser receives the Strict-Transport-Security header, it updates the site's expiration time so that the site can update this information and prevent it from terminating. If you need to disable Strict-Transport-Security, set max-age to 0 (over an https connection) and it will instantly terminate the Strict-Transport-Security header, allowing access via http.
https://developer.mozilla.org/ru/docs/Web/HTTP/%D0...
You can disable HSTS on the server like this:
Nginx:
server {
...
add_header Strict-Transport-Security "max-age=0; includeSubDomains; preload";
}Apache (.htaccess):
<IfModule mod_headers.c>
...
Header set Strict-Transport-Security "max-age=0; includeSubDomains; preload" env=HTTPS
</IfModule>Status check:
https://hstspreload.org/
Browser settings:
https://www.google.com/?q=How%20to%20clear%20hsts%...
Free SSL certificate:
https://letsencrypt.org/ en/
Similar questions
G
R
A
K
Y
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question