1

I am trying to test my site on a stage site before making it live. Obviously it doesn't have the same certificate. When I try to going in with the testing.domain.com subdomain, I get this error in firefox:

SSL_ERROR_BAD_CERT_DOMAIN

testing.website.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

upstream website {
    server 127.0.0.1:3000;
}

#prevent www
server {
  server_name www.website.com;
  return 301 $scheme://website.com$request_uri; 
}

#redirect http to https
server {
    listen 80;
    listen [::]:80;
    server_name website.com;

    return 301 https://$host$request_uri;
}

#https
server
{
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name website.com;

    include /etc/nginx/config/sites/headers.conf;

    include /etc/nginx/config/ssl/resolver.conf;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem;

    include /etc/nginx/config/ssl/ssl.conf;

    location /
    {
        proxy_pass http://website;

        include /etc/nginx/config/proxy/proxy.conf;
    }

    #include /etc/nginx/config/cache/static.conf;
}

I added in this server block in the hopes that it would handle the HTTP requests coming from the testing subdomain:

#allow http through testing subdomain
server {
    listen 80;
    listen [::]:80;
    server_name testing.website.com;

    location /
    {
        proxy_pass http://website;
        include /etc/nginx/config/proxy/proxy.conf; 
    }
}

And I found that under headers.conf there is a line that says 

   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

so I removed the includeSubDomains part in hopes that it would disable HSTS.

Even after these changes, it's still immediately redirecting from http://testing.website.com to https://testing.website.com and then giving me the HSTS error.

Every time I make changes, I do either nginx -s reload or reboot the whole server, but neither makes a difference.

stackers
  • 277
  • 1
  • 3
  • 13
  • Do not add the sub-domain to the same config file. Create a separate configuration file under sites-enabled for the sub-domain with only HTTP server block. – esoroka Oct 15 '19 at 04:45
  • You need to reset the browser as it will remember the `includeSubDomains` setting for 63072000 seconds. Clearing the browser's cache is not sufficient. – Richard Smith Oct 15 '19 at 06:22

1 Answers1

0

You have 2 issues here with HSTS, potentially 3.

First, you've selected includeSubDomains, which means that your NGINX has been telling browsers that every single subdomain, including the root, of example.com only use HTTPS. Moreso, it has told browsers to cache this value for 63072000 seconds, aka. 730 days, or 2 years to be exact. This means that any browser that has visited any page of example.com will forcefully redirect to HTTPS if it sees example.com in the address.

The only way to get around this is to remove the IncludeSubDomains, and use a browser that's freshly installed, or to deploy a certificate to testing.example.com. It might work even with a self-signed cert, I've never tried it personally.

There might be a even bigger problem here though. You config also states the preload option, which indicates that the page is ready to be added to the HSTS preload list. The HSTS preload list is a list of sites that uses HSTS that's hardcoded into browsers. This means that there's no way to get around HSTS, even with a freshly installed browser, since the browser knows beforehand which sites uses HSTS. You need to manually submit your site to this list, so it's unlikely that your domain is on that list, but if you didn't set up this particular site, you never know what someone has done before you. In this case, the only way to get around this is to just enable HSTS on every subdomain of example.com.

Stuggi
  • 3,366
  • 4
  • 17
  • 34