Http should redirect to https

mav · April 12, 2018, 1:28am

The insecure site http://safenetforum.org does not automatically redirect to https://safenetforum.org when it used to.

Please ensure this redirect happens for the security and privacy of all users.

neo · April 12, 2018, 1:58am

I just tried it and it does redirect for me.

also safenetforum.org redirects too. (without http://)

using firefox without the addon to force https

mav · April 12, 2018, 2:23am

I reproduced this on two browsers in several different ‘modes’. Not sure why it’s redirecting for you, maybe a long-lived HSTS header which I don’t have?

chrome
chrome incognito
chrome guest
firefox
firefox private mode

neo · April 12, 2018, 2:27am

Not sure what is happening. Are you using a business/uni network? Can you redirect other non-https urls to the https version?

I just tried chrome (all of this on 2 machines) and it works.

When done on firefox I actually see the http version accessed then it moves to https version after 1/4 second or so like other redirects do.

So what the issue is beyond me at the moment.

EDIT: Just tried a virtual machine (windows) that I’ve never accessed the forum from (with noscript installed) and saw the redirect occur and gave me the message I need to enable javascript (app could not load)

mav · April 12, 2018, 2:57am

Both responses are status 200 when I’d expect a 301 from http to https

Also check the Server header below (why is it different?!)

Any difference with the response headers you’re seeing?

http headers

ian@ian-desktop:~ $ curl -I http://safenetforum.org
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 Apr 2018 02:54:02 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Discourse-Route: list/latest
Cache-Control: no-store, must-revalidate, no-cache, private
X-Request-Id: 71cd1be7-30c4-47bf-be75-0bce048163f4
X-Runtime: 0.156217
Referrer-Policy: no-referrer-when-downgrade
Discourse-Proxy-ID: app-router-tiehunter07

https headers

ian@ian-desktop:~ $ curl -I https://safenetforum.org
HTTP/1.1 200 OK
Server: nginx/1.13.11
Date: Thu, 12 Apr 2018 02:54:07 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Discourse-Route: list/latest
Cache-Control: no-store, must-revalidate, no-cache, private
X-Request-Id: 15f0d1c7-9ee3-4418-bd88-a6b3a22cf7e6
X-Runtime: 0.137216
Referrer-Policy: no-referrer-when-downgrade
Discourse-Proxy-ID: app-router-tiehunter07

mav · April 12, 2018, 3:03am

Standard residential ADSL network.

Yes. eg http://iancoleman.io redirects for me to https

SalvorinFex · April 12, 2018, 3:25am

I have tested this on 2 windows systems with Vivaldi and Firefox with https everywhere disabled.
They all redirect just fine.

frabrunelle · April 12, 2018, 3:28am

I’m able to reproduce this issue in Chrome and Firefox when opening http://safenetforum.org in a new incognito/private window.

I just contacted the Discourse team, I’ll let you know when they fix this issue (I’m pretty sure the redirect from HTTP to HTTPS was working fine before). Thank you @mav for letting us know about this

neo · April 12, 2018, 3:48am

I get the same.

I am going to try adding the firfox ID in the curl to see if nginx reacts differently. (after lunch that is)

neo · April 12, 2018, 5:39am

Adding “user-agent” and/or referrer makes no difference.

So firefox and chrome must have been testing for https without being asked to.

frabrunelle · April 12, 2018, 3:47pm

The Discourse team just re-enabled the redirect from HTTP to HTTPS. They said this was caused by our DNS looking wrong to them since it’s at the root domain. It should be fixed now.

mav · April 12, 2018, 10:31pm

Yes it looks fixed from here, thanks for arranging it.