Forum
Hiawatha Firefox HTTPS suppression vs NGINX
marco
4 June 2014, 02:13
Hiawatha version: 9.4,9.6
Operating System: Fedora Linux
Also using PHP-FPM 5.5.8.
Has anybody solved the problem where recent Firefox web browsers automatically puts an HTTPS in the URL before
sending the request if you have any history of getting HTTPS from any page at the site previously.
Even if you specifically type http:// in the URL entry , it gets switched to https://
Obviously, I would like to be able to control what whether a pages is served HTTP or HTTPS.
I do not like Firefox making that decision for me.
I have only one example where a web site is able to overcome this auto HTTPS firefox "feature".
Here is that test:
Enter> https://www.meetup.com (SSL)
But with some magic, they turn into:
>http://www.meetup.com (NOT-SSL)
Looking at the Firebug net traffic. some interesting things pop up.
Their response does not have an HSTS header.
And they are using NGINX with cloudflare and X-Firefox-Spdy headers.
Anybody got some tips on getting Hiawatha to over come Firefox auto-HTTPS feature.
many thanks,
marco
Operating System: Fedora Linux
Also using PHP-FPM 5.5.8.
Has anybody solved the problem where recent Firefox web browsers automatically puts an HTTPS in the URL before
sending the request if you have any history of getting HTTPS from any page at the site previously.
Even if you specifically type http:// in the URL entry , it gets switched to https://
Obviously, I would like to be able to control what whether a pages is served HTTP or HTTPS.
I do not like Firefox making that decision for me.
I have only one example where a web site is able to overcome this auto HTTPS firefox "feature".
Here is that test:
Enter> https://www.meetup.com (SSL)
But with some magic, they turn into:
>http://www.meetup.com (NOT-SSL)
Looking at the Firebug net traffic. some interesting things pop up.
Their response does not have an HSTS header.
And they are using NGINX with cloudflare and X-Firefox-Spdy headers.
Anybody got some tips on getting Hiawatha to over come Firefox auto-HTTPS feature.
many thanks,
marco
Hugo Leisink
4 June 2014, 20:53
The switch is not done by Firefox. It's the meetup.com webserver which tells the browser to switch to HTTP via a 302 response code. It uses a Location HTTP header to tell to which new URL the browser must switch. In this case, the new URL is http://www.meet.com/
# openssl -cr s_client -connect www.meetup.com:443
<SSL handshake info>
GET / HTTP/1.0
Host: www.meetup.com
HTTP/1.1 302 Found
Server: cloudflare-nginx
Date: Wed, 04 Jun 2014 18:51:01 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Set-Cookie: __cfduid=d4e814117ce03d18d3f97f2035abce8e51401907861493; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.meetup.com; HttpOnly
Location: http://www.meetup.com/
CF-RAY: 135651ad4fd60c83-AMS
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.meetup.com/">here</a>.</p>
<hr>
<address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0c Server at www.meetup.com Port 443</address>
</body></html>
Marco
6 June 2014, 20:11
Hugo,
Actually, Firefox is making the switch, INTO HTTPS before the 302 trick is forcing it back to HTTP.
And "http://www.meet.com" is a totally different web site, so I have no idea where that came from.
What I was trying to point out is that meetup.com has figured out a way to get around FIREFOX adding HTTPS using their 302 tricks.
The complete steps are as follows:
1) Recent Version of Firefox user browses to http://www.myhiawathasite.com
2) During that visit, Firefox users encounters https://www.myhiawathasite.com
3) Firefox remembers FOREVER that this site had an HTTPS page and will force it in the future.
4) Firefox user goes back to the site a day later and types: http://www.myhiawathasite.com
5) Firefox AUTO adds HTTPS to URL, giving https://www.myhiawathasite.com
6) Now Hiawatha based site needs to figure out how to use 302 trick to get firefox to allow http://www.myhiawathasite.com instead of forcing https
This is the dilemma
Thanks HUGO
Actually, Firefox is making the switch, INTO HTTPS before the 302 trick is forcing it back to HTTP.
And "http://www.meet.com" is a totally different web site, so I have no idea where that came from.
What I was trying to point out is that meetup.com has figured out a way to get around FIREFOX adding HTTPS using their 302 tricks.
The complete steps are as follows:
1) Recent Version of Firefox user browses to http://www.myhiawathasite.com
2) During that visit, Firefox users encounters https://www.myhiawathasite.com
3) Firefox remembers FOREVER that this site had an HTTPS page and will force it in the future.
4) Firefox user goes back to the site a day later and types: http://www.myhiawathasite.com
5) Firefox AUTO adds HTTPS to URL, giving https://www.myhiawathasite.com
6) Now Hiawatha based site needs to figure out how to use 302 trick to get firefox to allow http://www.myhiawathasite.com instead of forcing https
This is the dilemma
Thanks HUGO
Marco
6 June 2014, 20:36
Each time I have tried to redirect, Firefox goes into an endless loop of http -> https -> http -> https until Firefox stops the endless cycle.
Thanks HUGO
Thanks HUGO
Marco
6 June 2014, 20:57
I am going to try to duplicate their headers exactly, wish me luck.
Hugo Leisink
6 June 2014, 20:58
Where I said meet.com, I meant meetup.com. Typo. And of course, good luck. 
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
