Bug #67185
closed
HSTS vs. preferred protocol
0%
Description
Hi,
if one enables HSTS (HTTP Strict Transport Security) on the server and sets the "Use Protocol"*-Setting to HTTP, the visitor gets stuck in an infinite 301-Redirect loop when calling this page.
My TYPO3 installation is deployed via nginx 1.6.2 using php-fpm 5.6.7.
Firefox (v 38.0) sometimes shows an error "The page isn't redirecting properly", sometimes, it just keeps following the redirects forever.
The server sends:301 Moved PermanentlyLocation: http://<URL>
Firefox tries (because of HSTS) to call https://<URL>
I am not sure, if there is a fix to this. Maybe analysing get_headers() is an option.
*Edit Page > Behaviour > Use Protocol: Set to http://
Christoph
Updated by Sybille Peters over 5 years ago
I would think, this is not a bug but a configuration error. You can't force HTTPS if you also force HTTP. If you use HSTS or redirect to HTTP you would also need to make sure, no pages are still redirecting to HTTP, e.g. check and change your Webserver redirect rules and check and change in TYPO3:
for "Link to External URL" with HTTP:
- SELECT * FROM pages WHERE urltype=1 AND doktype=3;
- SELECT * FROM pages WHERE url_scheme=1 AND doktype=1;
- ...
Also, since TYPO3 8 I believe the "Use protocol" is not used anymore.
I propose to close this.
Updated by Benni Mack over 5 years ago
- Status changed from New to Closed
Thanks Sybille for picking this up.
I agree. If you configure your sever to do X but force TYPO3 to do Y, it's a configuration error. Nothing TYPO3 can do for you as nginx sends this anyway.
This option got removed in TYPO3 v9, mainly due to the high probably (of editors) to misconfigure a page.
Updated by Christoph Schwarzenberg over 5 years ago
Hi,
thanks for your opinions. Closing this is no problem