0

I have a domain running on example.com and https://example.com on Heroku. I have a URL redirect on my name server from www to https://example.com. I have config.force_ssl = true set in config/environment/production.rb. The domain URL redirect works only on http, not https. It works in Chrome the first time I type www.example.com. However it fails the 2nd time I use www.example.com. It gives a 'ERR_CONNECTION_REFUSED' with a 307 Internal Redirect.

Status Code: 307 Internal Redirect
Location: https://www.example.com/
Non-Authoritative-Reason: HSTS

This is despite the domain service always giving Location: https://example.com via curl. Where is Chrome getting https://www* from? I saw https://superuser.com/a/881431/130929 about deleting the HSTS entries from Chrome at chrome://net-internals/#hsts. If I do that for both example.com and www.example.com, then it works only the first time for www.example.com again. example.com and https://example.com always works. What's worse is that in Firefox, after loading the page, simply using example.com fails because Firefox automatically adds a https://www. How can I use HTTPS on the root domain and redirect www to the root domain? I don't care about handling https://www.example.com as no one would type that. They would only mistakenly type www.example.com.

Chloe
  • 25,162
  • 40
  • 190
  • 357
  • Do you have SSL cert? – Akash Pinnaka Jun 12 '18 at 06:17
  • Yes, see the part where I say `I have a domain running on ... https://example.com`. It is in the first sentence. Also see the part where I say `https://example.com always works` near the bottom. – Chloe Jun 12 '18 at 06:19

1 Answers1

0

OK I fixed it with this answer http://stackoverflow.com/questions/10629397/ddg#10632901

I saw in curl -i https://example.com that it was returning 

Strict-Transport-Security: max-age=15552000; includeSubDomains

The max age is 6 months. includeSubDomains probably means to include www. So I added

class ApplicationController < ActionController::Base
  before_action :disable_hsts_subdomains

  def disable_hsts_subdomains
    response.headers["Strict-Transport-Security"] = 'max-age=15552000;'
  end

Which just removed includeSubDomains so it wouldn't try to redirect www without reaching out to the host first (DNS server), which would send the redirect to the proper root domain.

Chloe
  • 25,162
  • 40
  • 190
  • 357
  • It still doesn't work in Firefox 60.0.2. I have filed a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1468353. Firefox will _still_ add `https://` to a domain `www.example.com` even though it no longer has `includeSubdomains` and even though I removed the domain from `SiteSecurityServiceState.txt` (Firefox's version of `chrome://net-internals/#hsts`). – Chloe Jun 12 '18 at 16:35