Submitted by -eclipse- on Fri, 02/17/2017 - 13:26 Pro Licensee
To Virtualmin
Websites with enabled SSL feature is automatically redirecting to HTTPS? This started within last couple of days and gives a lot of headache.
How do we disable that?
I found this thread "Redirect HTTP to HTTPS by default?" https://www.virtualmin.com/node/45858
But our system is already set to NO in 'System Settings' --> 'Virtualmin Configuration' --> 'SSL Settings' ---> Redirect HTTP to HTTPS by default? So what's going on here!?
- Tim
Status:
Closed (fixed)
Comments
Submitted by -eclipse- on Fri, 02/17/2017 - 13:29 Pro Licensee Comment #1
Running Virtualmin version 2:5.06-1 on CentOS 7. All 4 instances we have react the same, HTTP sites are redirected to HTTPS of the SSL feature has been enabled on the site, even though the "redirect HTTP to HTTPS by default" is set to NO.
Submitted by -eclipse- on Fri, 02/17/2017 - 13:38 Pro Licensee Comment #2
There is no .htaccess files in the directories redirecting to HTTPS.. so where is that bugger doing the redirect.
Submitted by -eclipse- on Fri, 02/17/2017 - 13:51 Pro Licensee Comment #3
TXT file added showing the defaultwebsite from the apache.conf file on one of the Virtualmin instances that redirects HTTP to HTTPS.
Submitted by andreychek on Fri, 02/17/2017 - 14:45 Comment #4
Howdy -- yeah domains shouldn't be redirecting anywhere by default.
Would it be possible to see an example of a site where this is happening?
Could you perhaps create a new script named "test.php" in a domain where this is occurring, and in that script, place the following content:
<?php phpinfo(); ?>Then, could you share the resulting URL with us?
Submitted by -eclipse- on Fri, 02/17/2017 - 15:33 Pro Licensee Comment #5
Hi Eric
Here is the URL : http://glolinweb011.ito-hosting.com/test.php
Submitted by andreychek on Sat, 02/18/2017 - 00:46 Comment #6
Hmm, is that URL redirecting to HTTPS for you?
I'm able to view that as HTTP.
If so, does the same thing happen when using a different browser?
Submitted by -eclipse- on Sat, 02/18/2017 - 13:12 Pro Licensee Comment #7
Hi Eric
I am getting redirected, tried FireFox, Chrome and Chrome Incognito. Works with MS Edge though... But this has never been an issue.
Saw it first time when a customer called me telling me that his customers site was looking strange. It was running WordPress and suddenly it didn't show images, style sheets and so on. I noticed the site was called http://wordpresssite1.tld but the WordPress site and URL was using the temporary site given at the time it was setup, which was http://wordpressite1.tld.servera.tld and that redirected to HTTPS, so they where getting an SSL warning. When I visited the http://wordpressite1.tld.servera.tld it also redirected me to the https://wordpressite1.tld.servera.tld and also for our customers visiting the site, not only me. To solve it I disabled the SSL feature on the site and changed the WordPress URL to http://wordpressite1.tld to get it solved here and now. The site has been running for 2 months using the setup described above without issues. It started earlier this week with the redirect stuff to https.
Submitted by andreychek on Sat, 02/18/2017 - 16:14 Comment #8
Just to clarify, are you being redirected when browsing to this URL here:
http://glolinweb011.ito-hosting.com/test.php
So when you go to that above URL, it's trying to take you to an HTTPS URL?
Submitted by -eclipse- on Mon, 02/20/2017 - 03:02 Pro Licensee Comment #9
Hi Eric
Yes, it redirect me to the HTTPS site. My message before was just to inform you how I was getting notified of the issue from a customer.
Submitted by -eclipse- on Mon, 02/20/2017 - 07:29 Pro Licensee Comment #10
Hi Eric
Just setup a new virtual server to a customer. It also redirect the temporary URL to HTTPS!? Please see the URL below. http://gdac.dk.w010.ito-hosting.com
And another one here
http://rescueit.dk.w011.ito-hosting.com
There is something forcing redirects of HTTP to HTTPS :( And the feature "SSL website enabled?" is not even enabled on the website?
Submitted by andreychek on Mon, 02/20/2017 - 08:50 Comment #11
Hmm, I'm not getting redirected to HTTPS on any of those URL's.
I've tried a couple of different browsers across a couple of different computers, but I don't seem to be able to reproduce what you're experiencing there.
I don't imagine you're using a browser plugin that might be doing that?
Or perhaps there's a proxy, firewall, or VPN on your network that might be redirecting?
Submitted by -eclipse- on Mon, 02/20/2017 - 08:55 Pro Licensee Comment #12
Hi Eric
I have solved the issue :) It was an issue with my SSL hardening. https://anhsblog.com/blog/make-chrome-stop-redirect-from-http-to-https/
I had added the following in my SSL settings. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
If you had visited my main page https://www.ito-hosting.com it would require that all visits to that domain and subdomains had to use HTTPS. So if you then tried to visit the webpage http://testsite.w011.ito-hosting.com it would redirect to HTTPS because the Strict-Transport-Security forced it!
The browser saves the information in the HSTS settings. chrome://net-internals/#hsts
After I changed the configuration and visited the primary page first, all subdomains started working with normal HTTP again. I could also delete the registered sites in the Chrome settings as mentioned above. This issue / bug has been solved, it was my own fault that it happened but it was hard finding it :/
Submitted by -eclipse- on Mon, 02/20/2017 - 08:55 Pro Licensee Comment #13
Submitted by andreychek on Mon, 02/20/2017 - 09:16 Comment #14
That's great, I'm glad you got it working... thanks for letting us know how you fixed it!