I am trying to test my site on a stage site before making it live. Obviously it doesn't have the same certificate. When I try to going in with the testing.domain.com subdomain, I get this error in firefox:
SSL_ERROR_BAD_CERT_DOMAIN testing.website.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
upstream website {
server 127.0.0.1:3000;
}
#prevent www
server {
server_name www.website.com;
return 301 $scheme://website.com$request_uri;
}
#redirect http to https
server {
listen 80;
listen [::]:80;
server_name website.com;
return 301 https://$host$request_uri;
}
#https
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name website.com;
include /etc/nginx/config/sites/headers.conf;
include /etc/nginx/config/ssl/resolver.conf;
ssl on;
ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem;
include /etc/nginx/config/ssl/ssl.conf;
location /
{
proxy_pass http://website;
include /etc/nginx/config/proxy/proxy.conf;
}
#include /etc/nginx/config/cache/static.conf;
}
I added in this server block in the hopes that it would handle the HTTP requests coming from the testing subdomain:
#allow http through testing subdomain
server {
listen 80;
listen [::]:80;
server_name testing.website.com;
location /
{
proxy_pass http://website;
include /etc/nginx/config/proxy/proxy.conf;
}
}
And I found that under headers.conf there is a line that says
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
so I removed the includeSubDomains
part in hopes that it would disable HSTS.
Even after these changes, it's still immediately redirecting from http://testing.website.com to https://testing.website.com and then giving me the HSTS error.
Every time I make changes, I do either nginx -s reload
or reboot the whole server, but neither makes a difference.