Why does the https redirect trigger?

Question

I'm on kestrel/nginx with asp.net core. I have some urls which don't need https redirect, that's why I have the following nginx conf

server {
    listen *:80;
    server_name     example.com *.example.com;

    location / {
        add_header Strict-Transport-Security max-age=15768000;
        return 301 https://example.com$request_uri;
    }

    location /DirectDownload/ {
        proxy_pass  http://example;
        limit_req   zone=one burst=10 nodelay;
    }
}

In the Startup.cs I have

UseHsts()
NO UseHttpsRedirection()

Strangely enough, this has worked in the past. Unfortunately, the response header doesn't tell which part of my application triggers the 307 hsts redirect... Is there something obvious I'm missing?

This is the only :80 nginx conf.

Here's an example of the headers:

Thanks for your help!

Check accepted answer here: https://stackoverflow.com/questions/34108241/non-authoritative-reason-header-field-http/34213531 — Dmitry, Sep 22 '19 at 21:00
Do you really still want to use HTTP in the year 2019, where most browsers will mark http pages as insecure (which on other side will scare off your users). Http is problematic, even when not required (i.e. when you have mixed http and https in your html code). The point of HSTS is to prevent browser from even calling the http (before usually getting redirected by the user). Do you really have that much traffic that its causing you serious issue? If so, CDNs may be your better options — Tseng, Sep 23 '19 at 02:34
Also HSTS has an very aggressive caching, if you applied it once, it will stick around until expire (usually 1 year by default) — Tseng, Sep 23 '19 at 02:38
@Tseng no it's not about performance. Some downloads are provided for Tolino E-readers (with Chrome v30). All files that come over https are corrupted - it's a bug. And if I want to support the Tolino e-reader I have to circumvent the https of the rest of the site. — Doidel, Sep 23 '19 at 04:50

score 2 · Accepted Answer · answered Sep 22 '19 at 23:56

HSTS applies to the entire server

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named "Strict-Transport-Security".[1] HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.[2] A website using HSTS must never accept clear text HTTP and either not connect over HTTP or systematically redirect users to HTTPS. The consequence of this is a user-agent not capable of doing TLS will not be able to connect to the site anymore.

The 307 response comes from Chrome directly: https://www.troyhunt.com/understanding-http-strict-transport/

This is Chrome saying “I’m not even going to issue that request, instead I’m going to change it to HTTPS then try again” which is what gives us the second request. This is key: Chrome has refused to issue the first request over the insecure HTTP protocol.

Oh hmm that sucks. So in order to provide regular https downloads in some specific instances, I guess I could work with subdomains and exclude the subdomain. Thanks! — Doidel, Sep 23 '19 at 04:53

Why does the https redirect trigger?

1 Answers1