On 20.03.2015 13:13, Daniël Mostertman wrote:

>>> You'll _never_ reach http request since you set HSTS configuration :)
>>> If you still want some http request on your web server, disable your
>>> HSTS directive. (see Daniel statement on previous email).
>>
>> 1. HSTS enabled only on domain name www.example.com
>> on domain name example.com - no HSTS, no https and no redirects.
>>
>> 2. disabling HSTS is bad idea.
>> HSTS should be enabled on https servers.
>>
>> 3. please do not top post.
>> thank you.
>>
>
> 1. Any website will want www. and non-www to show the same website. This
> can not be done in your configuration.

http://example.com and http://www.example.com show the same site:

server {
listen 80;
server_name example.com;
location / { return 301 https://www.example.com$request_uri; }

location = /mobile/PayOnlyResult.do {
... # HTTP-only
}
location = /kor/tel.do {
... # HTTP-only
}
}

exception are done only for two uri, which are HTTP-only.

> 2. If any user goes to https://example.com/ instead of
> https://www.example.com/ it goes to the default website on 443, being
> www.example.com in this case. If that certificate is valid for
> example.com, the connection is built, and the HSTS is re-set in any
> browser for example.com and you will end up on SSL time and time again.

No problem,

server {
listen 443 default_server;
server_name example.com;

location / { return 301 https://www.example.com$request_uri; }

location = /mobile/PayOnlyResult.do {
return 301 http://example.com$request_uri;
}
location = /kor/tel.do {
return 301 http://example.com$request_uri;
}
}

server {
listen 443 ssl;
server_name www.example.com;

# HSTS (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

... # HTTPS-only
}

HTTPS-site example.com is default site and does not have HSTS.

> 3. I never said I thought it _should_ be disabled. In fact, I think
> https:// should always be used if possible, and http:// should be
> avoided at pretty much all times.

Agree, I don't know why topic starter need such strange configuration.

> 4. HSTS does not _need_ to be enabled for secure connections to work,
> it's a "very nice to have". But not mandatory. In his case, it probably
> gives more trouble than it's worth. However, I do agree that it
> _should_, like you said. But again, in his configuration that might not
> be possible to have the best possible solution for what's being wished for.

I can't agree with you what disabling HSTS
on HTTPS-sites is the best possible way.

My way of solution may be more simple, if for HTTP-only server
use other name, for example, public.example.com
or legacy.example.com or static.example.com
or something like this.

In this case, www.example.com and example.com
can be both HTTPS-sites, without exceptions.

--
Best regards,
Gena

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx