Sites with enabled SSL feature redirects to HTTPS as default - happened within the last couple of days?

To Virtualmin

Websites with enabled SSL feature is automatically redirecting to HTTPS? This started within last couple of days and gives a lot of headache.

How do we disable that?

I found this thread "Redirect HTTP to HTTPS by default?" https://www.virtualmin.com/node/45858

But our system is already set to NO in 'System Settings' --> 'Virtualmin Configuration' --> 'SSL Settings' ---> Redirect HTTP to HTTPS by default? So what's going on here!?

  • Tim
Status: 
Closed (fixed)

Comments

Running Virtualmin version 2:5.06-1 on CentOS 7. All 4 instances we have react the same, HTTP sites are redirected to HTTPS of the SSL feature has been enabled on the site, even though the "redirect HTTP to HTTPS by default" is set to NO.

  • Tim

There is no .htaccess files in the directories redirecting to HTTPS.. so where is that bugger doing the redirect.

Howdy -- yeah domains shouldn't be redirecting anywhere by default.

Would it be possible to see an example of a site where this is happening?

Could you perhaps create a new script named "test.php" in a domain where this is occurring, and in that script, place the following content:

<?php phpinfo(); ?>

Then, could you share the resulting URL with us?

Hmm, is that URL redirecting to HTTPS for you?

I'm able to view that as HTTP.

If so, does the same thing happen when using a different browser?

Hi Eric

I am getting redirected, tried FireFox, Chrome and Chrome Incognito. Works with MS Edge though... But this has never been an issue.

Saw it first time when a customer called me telling me that his customers site was looking strange. It was running WordPress and suddenly it didn't show images, style sheets and so on. I noticed the site was called http://wordpresssite1.tld but the WordPress site and URL was using the temporary site given at the time it was setup, which was http://wordpressite1.tld.servera.tld and that redirected to HTTPS, so they where getting an SSL warning. When I visited the http://wordpressite1.tld.servera.tld it also redirected me to the https://wordpressite1.tld.servera.tld and also for our customers visiting the site, not only me. To solve it I disabled the SSL feature on the site and changed the WordPress URL to http://wordpressite1.tld to get it solved here and now. The site has been running for 2 months using the setup described above without issues. It started earlier this week with the redirect stuff to https.

  • Tim

Hi Eric

Yes, it redirect me to the HTTPS site. My message before was just to inform you how I was getting notified of the issue from a customer.

  • Tim

Hmm, I'm not getting redirected to HTTPS on any of those URL's.

I've tried a couple of different browsers across a couple of different computers, but I don't seem to be able to reproduce what you're experiencing there.

I don't imagine you're using a browser plugin that might be doing that?

Or perhaps there's a proxy, firewall, or VPN on your network that might be redirecting?

Hi Eric

I have solved the issue :) It was an issue with my SSL hardening. https://anhsblog.com/blog/make-chrome-stop-redirect-from-http-to-https/

I had added the following in my SSL settings. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

If you had visited my main page https://www.ito-hosting.com it would require that all visits to that domain and subdomains had to use HTTPS. So if you then tried to visit the webpage http://testsite.w011.ito-hosting.com it would redirect to HTTPS because the Strict-Transport-Security forced it!

The browser saves the information in the HSTS settings. chrome://net-internals/#hsts

After I changed the configuration and visited the primary page first, all subdomains started working with normal HTTP again. I could also delete the registered sites in the Chrome settings as mentioned above. This issue / bug has been solved, it was my own fault that it happened but it was hard finding it :/

  • Tim
Status: Active ยป Closed (fixed)

That's great, I'm glad you got it working... thanks for letting us know how you fixed it!