I cannot get https redirects to stop. Iām installing a service on an internal device with no public DNS, so auto_https is going to fail. It is not needed for this tool, so I want to disable it entirely. Iāve tried explicitly setting HTTP:// in the site name, Iāve tried ātls offā in the config, and Iāve tried using a global block in the Caddyfile with āauto_https offā set. Nothing seems to be working. I immediately get redirected to an https site that then fails to load.
4. Error messages and/or full log output:
No error messages other than the browser error message due to failing TLS
5. What I already tried:
Iāve tried explicitly setting http:// in the site name. Iāve tried ātls offā. Iāve tried setting āauto_https offā in a global block in the caddyfile.
Did you ever add a line to serve the header Strict-Transport-Security? If so, your browser will remember that (for a very very long time depending on what duration was on the header) and continue to redirect you anyways.
Check your Caddy logs with journalctl -u caddy --no-pager | less.
Also try making a request with curl -vL to see if Caddy is actually serving a redirect or if itās just your browser doing it.
Great catch! I had never added the strict TLS line, but the end result appears to be the same. It is my browser (Edge Chromium) remembering the setting. I tried it in other browsers and got the correct, expected http page. It never occurred to me that the browser would hang on to that like it is doing.
Yeah thatās actually the point of that setting. Itās meant to be a protection against downgrade attacks if someone manages to force your site to serve http. But browsers remember it for a very long time so itās a foot-gun, i.e. you can shoot yourself in the foot if you wield that tool incorrectly. You should only ever set that header if youāre certain youāll never need to serve content over http in the future.
Caddy does not touch that on its own, you wouldāve had to have added a line like header Strict-Transport-Security max-age=31536000; to your site at some point.
Ah, okay, thatās what I wanted to verify. The site is built in the tool Iām installing. Itās a BGP looking glass called Hyperglass. Iāll ask the dev about that.
Thanks! Itās definitely my browser doing the redirect, but Iām not sure why it is remembering a setting that I never set. Itās odd. But that sure seems to be whatās happening. When I try it in Firefox instead, it works as expected, and curl -vL localhost proves itās the browser doing it, not the site itself.