Strange redirection to https:// from http:// URL

Hello, honestly I’m not sure whether my issue here is related to my Caddy configuration,
but I’m a little stuck, because I have not much experience in web servers.

I’m running a Django web application behind “gunicorn” and a Caddy web server.
The URL is

https://contact.engineering/

On top of the landing page in the yellow box, there is a simple static link to a URL starting with “http”:

http://legacy.contact.engineering/

It has the same domain name as the first link, but points to another physical server.

If I click that second link on the page, I’m always redirected to “https://legacy.contact.engineering/”,
with “https” (SSL!). That target does not exist.
This does not happen on my development machine where I don’t use Caddy simply Django’s runserver.
So I think it’s related to Caddy (correct me, if I’m wrong).

My Caddyfile looks like this

{$DOMAIN_NAME} {
    proxy / django:5000 {
        header_upstream Host {host}
        header_upstream X-Real-IP {remote}
        header_upstream X-Forwarded-Proto {scheme}
        except /media
        timeout 300s
    }
    log stdout
    errors stdout
    gzip
}

where DOMAIN_NAME=contact.engineering.

It’s strange, because I thought that my browser (Firefox 68.0.1) just asks DNS for the IP of the host “legacy” and points me to that URL, using the “http” protocol, because that’s the link it sees.

Do I need to explicitly mention the host “legay.contact.engineering” in my Caddyfile so that “http://” persists? Or is this more related to the DNS configuration?

Thank you for any hint. Michael

Howdy @mcrot!

Your ‘bare’ domain, contact.engineering, serves a HSTS header - if it’s not coming from Caddy, it’s probably coming from gunicorn:

~/Projects/test
➜ curl -IL contact.engineering
HTTP/1.1 301 Moved Permanently
Connection: close
Content-Type: text/html; charset=utf-8
Location: https://contact.engineering/
Server: Caddy
Date: Thu, 08 Aug 2019 23:42:14 GMT

HTTP/2 200
content-type: text/html; charset=utf-8
date: Thu, 08 Aug 2019 23:42:16 GMT
server: Caddy
server: gunicorn/19.9.0
strict-transport-security: max-age=60; includeSubDomains; preload
vary: Cookie
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
content-length: 14486

Note that you have specified includeSubDomains;. That means that any browser that visits your main site (which they will have if they browsed to your legacy site through the hyperlink on the main site) will apply the HSTS policy to the subdomain. The browser will not even attempt a regular HTTP connection, because you’ve told them not to.

You’ve also included preload, which signifies that if you were to submit your domain for the HSTS preload list, no modern browser would ever connect to it over HTTP, not even the first time.

Thanks @Whitestrake for your explanations, I didn’t know before about the HSTS mechanism.

After reading all this, for me it turned out that the best way is to move the legacy site to SSL. First I had no
login credentials, but after getting access, it was easy by using “certbot”.

I followed these instructions (https://certbot.eff.org/lets-encrypt/ubuntubionic-apache) - except that I had to write the virtualhost config myself, because of an issue with certbot. Now it works and the legacy site is reachable by https and http. I’ve also created a redirection here: https://cwiki.apache.org/confluence/display/HTTPD/RewriteHTTPToHTTPS).

So for me this is solved :slight_smile:

1 Like