I have a domain running on example.com and https://example.com on Heroku. I have a URL redirect on my name server from www to https://example.com. I have config.force_ssl = true set in config/environment/production.rb. The domain URL redirect works only on http, not https. It works in Chrome the first time I type www.example.com. However it fails the 2nd time I use www.example.com. It gives a 'ERR_CONNECTION_REFUSED' with a 307 Internal Redirect.
Status Code: 307 Internal Redirect
Location: https://www.example.com/
Non-Authoritative-Reason: HSTS
This is despite the domain service always giving Location: https://example.com via curl. Where is Chrome getting https://www* from? I saw https://superuser.com/a/881431/130929 about deleting the HSTS entries from Chrome at chrome://net-internals/#hsts. If I do that for both example.com and www.example.com, then it works only the first time for www.example.com again. example.com and https://example.com always works. What's worse is that in Firefox, after loading the page, simply using example.com fails because Firefox automatically adds a https://www. How can I use HTTPS on the root domain and redirect www to the root domain? I don't care about handling https://www.example.com as no one would type that. They would only mistakenly type www.example.com.
OK I fixed it with this answer http://stackoverflow.com/questions/10629397/ddg#10632901
I saw in curl -i https://example.com that it was returning
Strict-Transport-Security: max-age=15552000; includeSubDomains
The max age is 6 months. includeSubDomains probably means to include www. So I added
class ApplicationController < ActionController::Base
before_action :disable_hsts_subdomains
def disable_hsts_subdomains
response.headers["Strict-Transport-Security"] = 'max-age=15552000;'
end
Which just removed includeSubDomains so it wouldn't try to redirect www without reaching out to the host first (DNS server), which would send the redirect to the proper root domain.
Related
I've had an issue with Google Adsense not being able to access their config file (ads.txt) on my Rails site. I have put it in what I think is the correct folder (App -> Public).
In summary, this is the situation for which URLs work vs not:
[webURL].co.uk/ads.txt (works)
https://www.[webURL].co.uk/ads.txt (works)
http://www.[webURL].co.uk/ads.txt (works)
https://[webURL].co.uk/ads.txt (doesn't work - hangs)
http://[webURL].co.uk/ads.txt (doesn't work - error - HTTP Status: 404 (not found)
So my guess is that Google is trying to reach ads.txt via a URL without a www (the two bottom of the list above).
A couple of other points:
My Rails app is hosted on Heroku and I have a GoDaddy domain
On Godaddy, I have domain forwarding already setup, and so [mysite].com gets forwarded to www.[mysite].com.
So my question - how do I get URLs which don't have 'www' in them, to redirect to the equivalent URL with 'www'?
Any ideas?
Thanks in advance!
I resolved this by setting up Cloudflare and configuring some forwarding rules.
So I have a domain example.com and a subdomain sub.example.com.
I would like to configure my Nginx virtual host to open the root site when a user uses the domain example.com but when a user uses sub.example.com the server should serve example.com/sub. The main problem I'm having is the URL changing. I do not want to simply redirect, instead, the URL should stay the same.
So basically you can open the same page by visiting example.com/sub or sub.example.com but the URL should always be sub.example.com.
In your nginx configuration file for sub.example.com, under location /,
You can proxy-pass to the page you want to show. In this case example.com/sub.
But if you have more links on example.com/sub page, your routing would need some tweaks. Else, it should work fine.
I am open my website in firefox, but because of something wrong with my website, url is force redirected to https(I think this is because I write config.force_ssl = true in ruby on rails application).
But after I redeploy another ruby on rails application, firefox still force redirect to https, how can I make firefox do not redirect to https?
This is a browser caching issue.
Rails redirects to the HTTPS site using HTTP Status 301 (moved permanentely), the redirect is cached by Firefox.
Because the Host is always localhost, Firefox cannot differentiate between the individual Rails applications.
To resolve this problem try emptying the cache and/or use private browsing mode for testing.
I don't know about Firefox but in Chrome there's the option to completely deactivate caching for as long the dev tools are open.
Try to clear the cache. Firefox may remember http 302 - redirect permanently, and it does not know when you are using different rails application (as you probably run both on localhost:3000).
UPDATE Could it be this: strict-transport-security: max-age=8640000; includeSubDomains? from curl below:
curl -I http://innovationbound.com **(notice that's my bare domain I'm curling)**
HTTP/1.1 301 Moved Permanently
x-powered-by: Express
strict-transport-security: max-age=8640000; includeSubDomains
location: https://innovationbound.com/
vary: Accept
content-type: text/plain; charset=UTF-8
content-length: 62
date: Sun, 04 May 2014 15:21:06 GMT
connection: keep-alive
So, I've got the weirdest bug. If I clear my cache (firefox and chrome) and then load my blog: blog.innovationbound.com, it loads fine. But, after that, if I type in the url, or click on a link to the blog, or any path within the blog, I get a connection timed out.
My blog is hosted at Tumblr, innovationbound.tumblr.com, I have a CNAME record that points blog.innovationbound.com and www.blog.innovationbound.com to tumblr's domains.tumblr.com site. That's how tumblr works that out apparently.
Aside from that, I have a node.js website up and running at innovationbound.com. I have some middleware that ensures everything goes through ssl, so anything that hits that server gets redirected to https://...
Now nothing should hit that server if the CNAME records are working alright.
One other note: there used to be a redirect (301) from the bare domain to the www subdomain (because ssl only applied to www). That has since changed cause ssl applies to both (woohoo!).
Now when blog.innovationbound.com doesn't load, the problem loading page error shows up with https://blog.innovationbound.com, which is not what I typed in the first place, or what any links to our blog say either.
Any help would rock!
The problem seems to be that your middleware is also redirecting blog.innovationbound.com to use SSL, but only in some browsers.
Browsing to innovationbound.tumblr.com, the response is:
HTTP/1.0 301 Moved Permanently
Location: http://blog.innovationbound.com/
Browsing to http://blog.innovationbound.com/ in Chrome and Firefox results in being redirected to https://blog.innovationbound.com/
Browsing to http://blog.innovationbound.com/ in Safari presents the page without using SSL.
There are 4 IPs returned for blog.innovationbound.com, none of which accept https connections:
blog.innovationbound.com is an alias for domains.tumblr.com.
domains.tumblr.com. 30 IN A 66.6.40.74
domains.tumblr.com. 30 IN A 66.6.40.75
domains.tumblr.com. 30 IN A 66.6.40.76
domains.tumblr.com. 30 IN A 66.6.40.81
I've got a non wildcard SSL certificate for my root domain (example.com), and I'm using the heroku ssl endpoint add on. I'm using routing constraints so subdomain.example.com matches various controller actions, and I reroute the subdomain with CNAME records to the root domain. This all works fine in development, and it works fine in Tor browser if I disable https, but I can't get it to work in any ordinary browser.
I've tried using gem SSL-enforcer to enforce SSL except on host with subdomain as such:
config.middleware.use Rack::SslEnforcer, :except_hosts => 'subdomain.mydomain.com', :strict => true
Can I disable the https protocol for subdomain of my rails app? I feel like this might be impossible as I've read that SSL negotiations are made before the server knows the URL.
I would have recommended SSL-enforcer.....
Are you using config.force_ssl and generating a strict transport security header? I would suspect that might be the issue if it works with Tor but not a normal browser. Check the headers; if the HSTS exists, then that's probably the reason. Should be straight forward to change that (changing the max-age attribute to 0)
If not, check the Heroku docs again and make sure your settings and DNS/CNAME are correct....
https://devcenter.heroku.com/articles/ssl-endpoint#subdomain
Hope this helps.