On 20.03.2015 12:36, Dewangga Bachrul Alam wrote:

> You'll _never_ reach http request since you set HSTS configuration :)
> If you still want some http request on your web server, disable your
> HSTS directive. (see Daniel statement on previous email).

1. HSTS enabled only on domain name www.example.com
on domain name example.com - no HSTS, no https and no redirects.

2. disabling HSTS is bad idea.
HSTS should be enabled on https servers.

3. please do not top post.
thank you.

>> HSTS is good thing and should not be disabled.
>>
>> if you need http only for some uri - better create separate server,
>> on different server_name, which works only on http, and leave https
>> server for all rest https uri. for example:
>>
>> server {
>> listen 443 ssl;
>> server_name www.example.com;
>>
>> # HSTS (15768000 seconds = 6 months)
>> add_header Strict-Transport-Security max-age=15768000;
>>
>> ... # HTTPS-only
>> }
>>
>> server {
>> listen 80;
>> server_name www.example.com;
>> location / { return 301 https://www.example.com$request_uri; }
>> }
>>
>> server {
>> listen 80;
>> server_name example.com;
>> location / { return 301 https://www.example.com$request_uri; }
>>
>> location = /mobile/PayOnlyResult.do {
>> ... # HTTP-only
>> }
>> location = /kor/tel.do {
>> ... # HTTP-only
>> }
>> }
>>
>> www.example.com - HTTPS-only, example.com - HTTP-only.
>>

--
Best regards,
Gena

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx