chromium/hstspreload.org

Error: HTTP does not redirect to HTTPS

hdatma opened this issue · 6 comments

I see the above error on sites that DO redirect from HTTP to HTTPS.

This is how it redirects on nginx:

server {
listen 80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}

server {
listen 443 ssl http2;
server_name example.com;
...
}

I have seen the same error on ssllabs years ago. The problem was the test: it demanded the "www." prefix from sites that redirected from www to non-www server names.

The odd ball is that "hstspreload preloadabledomain" returns "Satisfies requirements". The above errors is only returned by the website https://hstspreload.org/?domain=...

The error message you received on hstspreload.org should have said what the expected redirect was and what was observed.

Can you use the contact us information on hstspreload.org and let us know the specific domain that you're having trouble with (and if you have it, the full text of the error that said "HTTP does not redirect to HTTPS")? There's not enough information in this bug report to figure out what's going on.

Error: HTTP does not redirect to HTTPS
http://example.com (HTTP) redirects to https://example.com/. The first redirect from http://example.com should be to a secure page on the same host (https://example.com).

where "https://example.com/" is the result of "return 301 https://example.com$request_uri;".

Work with Apache 2.4

# Port 80 
# Redirection de http non-www vers https
<VirtualHost *:80>
...
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{SERVER_NAME} =domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</IfModule>
...
</VirtualHost>

# Port 443
# Redirection de https non-www vers https www
<VirtualHost *:443>
...
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_NAME} !^www\.(.*)$ [NC]
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</IfModule>
...
</VirtualHost>

There doesn't appear to be anything actionable here for the hstspreload.org project.

Not so quick cowboy! You were asleep for 9 months, so give me the time to read your reply of less than 20 hours ago.

Your website is now responding with a more informative error message, from which it is now clear that you have a parsing problem. When http://example.com redirects to https://Example.com, your parser considers them as different domains. Just make the parsing case insensitive, and you solved the problem. Then you can close this ticket and go back to sleep.

Just make the parsing case insensitive,

Ah, that would be #90. Sorry for the trouble.