27

A few days ago, Chrome started redirecting all of my vHosts in Wampserver to https. Everything was working fine until a couple days ago, then one day I logged on to work on my site and Chrome said that the site couldn't be reached, even though I used the same URL i always did in the past. Wamp is running as well as Apache and MySQL and none of those services have any errors in the error log.

I have already tried removing the domain(I use a fake .dev extension for my local sites) with chrome://net-internals/#hsts but that didn't do anything. I also tried installing SSL to see if Chrome would detect it as a secure connection... nothing. I even tried reinstalling Wamp completely(even though the vHosts work fine in other browsers) and nothing changed.

The only thing that works in Chrome is accessing the sites via http://localhost/site. The redirect to HTTPS happens for all of my Apache vHosts. I've googled and googled and can't find anything that actually fixes the problem.

CodeCaster
  • 147,647
  • 23
  • 218
  • 272
ShoeLace1291
  • 4,551
  • 12
  • 45
  • 81

5 Answers5

33

Chrome v63 forces .dev domains to HTTPS. The Internet Engineering Task Force RFC2606 specified what top level domains should be used for local development, and .dev isn't on that list.

Google owns the .dev top level domain and automatically redirects all .dev domain names to an HTTPs version of the site via preloaded HSTS.

With .dev being an official generic top-level domain (gTLD), we're better changing our local development suffix from .dev to something else, even if there are other solutions (e.g. https with self-signed certificates). So you should use .test, .example, .invalid or .localhost as your local development TLDs instead.

Community
  • 1
  • 1
benedikt
  • 1,899
  • 2
  • 25
  • 30
  • 25
    I thought the question was "How to stop Chrome from redirecting to HTTPS?" and not "which TLDs to use instead?"... – Stretsh Dec 11 '17 at 16:53
  • 5
    I agree with Stretsh.The answer does fix my problem with my local sites, but doesn't answer my question about redirecting to https. What if I launch a website that doesn't have SSL? I wouldn't be able to access it. I will change my local sites to .test but until you provide a solution to my question, I will not accept this answer. – ShoeLace1291 Dec 12 '17 at 04:17
  • 4
    All of your vhosts end in .dev, and there is no way to make them work on you machine anymore. The only solution is to change the tld. – darylknight Dec 12 '17 at 08:10
  • 4
    Just to add, the .app domain (which I used for local development) is also owned by Google and does the same. – Martin van Driel Dec 12 '17 at 20:15
  • 1
    I believe most professional developers use on their local environments the .dev TLD (my case and many thousands of other developers—I believe—use it). The .dev TLD has been among us for years used and now it's causing people to loose time until they find that .dev isn'y on the Reserved Example Second Level Domain Names of the RFC2606. I had to move to .devel hopping that Google won't buy it... Thanks @benedikt for taking the RFC2606 link to the discussion. By the way, a good article to read about this issue: https://www.theregister.co.uk/2015/03/13/google_developer_gtld_domain_icann/ – McRui Dec 14 '17 at 22:16
4

I can't improve the answer of @benedikt, as it is correct. There are good temporary fixes:

  • typing "badidea" on the warning page, this might not work if you have SSL set up (hacked together) locally. It bypasses the warning, but my local SSL isn't setup correctly and shows another local site.
  • narayon also suggests a link to a chrome forum, which I haven't tried.

My workaround was to update all my ".dev" development TLDs to ".d3v" Still short enough to type quickly, descriptive, and probably future-proof.

DanielV
  • 86
  • 4
  • 1
    Thank you for the reference. Note that there are no future-proof TLDs, beside the ones in the RFC2606 memorandum, mentioned on @benedikt answer. – Narayon Dec 13 '17 at 11:38
1

I have found a quick work-around that worked for my needs and may help someone else.

I use Browser Sync when developing and I just set the proxy argument to "testsite.dev" and it will serve up correctly in Chrome.

Here is the command I am using:

browser-sync start --proxy "testsite.dev" --port "3000" --files "./**/*.*"
Matthew Woodard
  • 754
  • 2
  • 10
  • 26
0

I too use the .dev extension and will change to some other domain in the future but for my existing .dev sites, when the privacy error shows up, click anywhere on the screen and type 'badidea' and chrome will redirect you to the site. It works!

gododgers
  • 31
  • 5
0

Solution 1 - choose a reserved and future-proof gLTD like .localhost or .test

Edit your hosts file (for Windows it is C:\Windows\System32\Drivers\etc\hosts)

127.0.0.1       testsite.localhost

Solution 2 - install a self-signed certificate for .dev

  1. Create the certificate. Open Powershell as Admnistrator and run:

P.S. Make sure to install mkcert first

C:\Users\John> mkcert *.testsite.dev

This will create a wildcard certificate that will work for all .testsite.dev sites

  1. Copy these keys from C:\Users\John to C:\xampp\apache\crt\testsite_dev (create the crt folder if it doesn't exist)

  2. Add entries in your C:\Windows\System32\Drivers\etc\hosts file

    127.0.0.1       testsite.dev
    127.0.0.1       www.testsite.dev
  1. Open your C:\xampp\apache\conf\extra\httpd-vhosts.conf and add an entry
    <VirtualHost *:443>
       DocumentRoot "C:/xampp/htdocs"
       ServerName testsite.dev
       ServerAlias www.testsite.dev

       Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

       SSLEngine on
       SSLCertificateFile "crt/testsite_dev/_wildcard.testsite.dev.pem"
       SSLCertificateKeyFile "crt/testsite_dev/_wildcard.testsite.dev-key.pem"
    </VirtualHost>

  1. Restart Apache

  2. (Extra) step - make your OS & browser trust self-signed certificates, otherwise it won't work

Liga
  • 3,291
  • 5
  • 34
  • 59