Firefox and Chrome keeps forcing HTTPS on Rails app using nginx/Passenger
Solution 1
If you used config.force_ssl = true
in your environment configuration, and then later turn it off, your browser may still only make connections over ssl.
Rails sends an HSTS header when force_ssl
is true, which will cause some browsers to only allow connections over HTTPS to the domain in question, regardless of what's entered in the address bar. This setting will be cached by the browser for 1 year by default.
See some tips for how to avoid this in this blog post ocmment: http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/#comment-40447
Solution 2
I found a way to turn off HSTS from an answer on a Wordpress support forum of all of places: https://wordpress.org/support/topic/want-to-turn-off-http-strict-transport-security-hsts-header#post-6068192
You can send back a header that will turn off HSTS caching. Tested in Chrome with this example before_filter in a Rails 4 app:
response.headers['Strict-Transport-Security'] = 'max-age=0; includeSubDomains'
Related videos on Youtube
Steve
Updated on September 18, 2022Comments
-
Steve over 1 year
I've got a really weird problem here where every time I try to browse my Rails app in non-SSL mode Chrome (v16) and Firefox (v7) keeps forcing my website to be served in HTTPS.
My Rails application is deployed on a Ubuntu VPS using Capistrano, nginx, Passenger and a wildcard SSL certificate.
I have set these parameters for port 80 in the nginx.conf:
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO http; passenger_set_cgi_param HTTPS off;
The long version of my nginx.conf can be found here: https://gist.github.com/2eab42666c609b015bff
The ssl-redirect.include file contains:
rewrite ^/sign_up https://$host$request_uri? permanent ; rewrite ^/login https://$host$request_uri? permanent ; rewrite ^/settings/password https://$host$request_uri? permanent ;
It is to make sure those three pages use HTTPS when coming from non-SSL request.
My production.rb file contains this line:
# Enable HTTP and HTTPS in parallel config.middleware.insert_before Rack::Lock, Rack::SSL, :exclude => proc { |env| env['HTTPS'] != 'on' }
I have tried redirecting to HTTP via nginx rewrites, Ruby on Rails redirects and also used Rails view url using HTTP protocol.
My application.rb file contains this methods used in a before_filter hook:
def force_http if Rails.env.production? if request.ssl? redirect_to :protocol => 'http', :status => :moved_permanently end end end
Every time I try to redirect to HTTP non-SSL the browser attempts to redirect it back to HTTPS causing an infinite redirect loop. Safari, however, works just fine. Even when I've disabled serving SSL in nginx the browsers still try to connect to the site using HTTPS. I should also mention that when I pushed my app on to Heroku, the Rails redirect work just fine for all browsers.
The reason why I want to use non-SSL is that my homepage contains non-secure dynamic embedded objects and a non-secure CDN and I want to prevent security warnings.
I don't know what is causing the browser to keep forcing HTTPS requests.
-
Marcelo Bittencourt over 12 yearsCan you give the contents of
/opt/nginx/conf/ssl-redirect.include
-
Steve over 12 yearsHi, I just updated with the content of the file. Cheers
-
Marcelo Bittencourt over 12 yearsI can´t see any direct problem, but try remove the permanent flag from the redirect directives, and I´m not sure that the 'redirect root' directive is correct. is a problem to disclose the domain?
-
Steve over 12 yearsDon't worry Marcelo found out it was HSTS causing the problem.
-
-
Ryan Angilly over 9 yearsHoly crap. This is a huge problem. I know it's two years old, but any chance you've keep up to date on this issue. Any workarounds? I need to turn off forcing SSL for certain pages on an app so that it can load non-SSL pages in iframes.
-
Ben over 8 yearsDamn it… I was deeply stocked on this specific one. You saved a lot more than just my day; big thx
-
Ryan Angilly over 8 yearsReally glad it helped. I was so frustrated when I ran into this last year!
-
Ben over 8 yearsI have some user complaining about having a forever-page-load-wait, while using firefox (or I guess, some criptyc antivirus installed). anything of this type on your side ?
-
Ryan Angilly over 8 yearsNo, I don't think so, but getting this HSTS wrong is super sticky/annoying. Can you tell if the initial request is hanging for the user or if the page render is waiting on loading an asset? If you load assets from another domain, perhaps you still have HSTS issues on other subdomains?
-
Ben over 8 yearssadly, it happens without no real reasons, under osx capitan, specifically