Gena Makhomed schreef op 20-3-2015 om 12:05:
> On 20.03.2015 12:36, Dewangga Bachrul Alam wrote:
>
>> You'll _never_ reach http request since you set HSTS configuration :)
>> If you still want some http request on your web server, disable your
>> HSTS directive. (see Daniel statement on previous email).
>
> 1. HSTS enabled only on domain name www.example.com
> on domain name example.com - no HSTS, no https and no redirects.
>
> 2. disabling HSTS is bad idea.
> HSTS should be enabled on https servers.
>
> 3. please do not top post.
> thank you.
>

1. Any website will want www. and non-www to show the same website. This
can not be done in your configuration.

2. If any user goes to https://example.com/ instead of
https://www.example.com/ it goes to the default website on 443, being
www.example.com in this case. If that certificate is valid for
example.com, the connection is built, and the HSTS is re-set in any
browser for example.com and you will end up on SSL time and time again.

3. I never said I thought it _should_ be disabled. In fact, I think
https:// should always be used if possible, and http:// should be
avoided at pretty much all times.

4. HSTS does not _need_ to be enabled for secure connections to work,
it's a "very nice to have". But not mandatory. In his case, it probably
gives more trouble than it's worth. However, I do agree that it
_should_, like you said. But again, in his configuration that might not
be possible to have the best possible solution for what's being wished for.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx