hsts

Firefox caches HSTS so configure domain properly

Okaaay, i am sure many of us have configured by now (or not) the webserver to serve content over http v2. SPDY times are now gone and we need to get up to the standards. Today i had a weird issue with one of my domains subdomain.
Specifically, Firefox was trying to open the subdomain on https, even if the subdomain itself was configured on nginx to work only on plain standard http. First i didn’t know what is happening, and i thought i did something wrong, maybe cofigured the subdomain as ssl enabled (drunk people are doing stuff like this).
But no, i checked and double checked and my subdomain was properly configured ONLY for http. I cleared Firefox’s cache, i deleted everything, i reinstalled Windows, i drank a coffee then a beer then a whiskey. Unfortunately my Firefox was still trying to open the plain http over https. What the heck is going on eh ?!
Then, after a few dozen prayers to the God of all Linux servers, some curses to the same almighty being, i got struck with his almighty wisdom. In fact i was struck by my almighty stupidity.
I had configured the main domain to specify i’m using HSTS and also asked specifically to include subdomains. So my config line in nginx looked like this:

and i needed to make it like this

Please note that ‘always’ parameter (which ensures that the header is set for all responses) is not working in nginx versions prior to 1.7.5 or NGINX Plus R5.
So that’s it, now subdomains are working on http as they were meant to work and main domain makes use of https and http v2 as it should.  And all these issues because of a wrongly configured HSTS header.

Tagged: Tags:

Leave a Reply