How can I force https to http

sharingsunshine
sharingsunshine used Ask the Experts™
on
I have an nginx development site that I can't get into because it keeps auto-populating to https. This is because I the copied files and database from an existing https enabled site.  Is there a way to force a browser to only use http for this site?

This site hasn't been propogated so there is no dns.  Thus, no way to have an ssl cert.

Because it keeps filling in the https I get a message the site can't be reached.  I have tried filling it in manually and deleting the history but it still keeps accessing https.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
See if this will help :

https://www.siteground.com/kb/redirect-from-https-to-http/

Add the following directives in your website's .htaccess file:

# Redirect HTTPS to HTTP

RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Author

Commented:
I found that already and it didn't help.

Here is my .htaccess

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
# Redirect HTTPS to HTTP
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Open in new window

Place the Above statement before the

<IfModule mod_rewrite.c>

Please look at the following site:

Example:
File1493047466702.png
https://help.bigscoots.com/en/articles/723505-redirecting-your-domain-from-https-to-http-using-htaccess-in-cpanel
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Author

Commented:
It doesn't work.

RewriteEngine On
RewriteCondition %{HTTPS} On
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Open in new window

nociSoftware Engineer
Distinguished Expert 2018

Commented:
nginx works differently no .htaccess files.
All is in the config ....

First the sane options:
a) if on a .local domain (or home net)... use a private certificate. several ways to create (using f.e. xca or tinyCA). You can add the CA certificate to your browser store as trusted and use the site certificate for use).    This can also work on the internet btw....
b) if on an internet connected site use a LetsEncrypt certificate

c) When still insisting on HTTP only access (which would be very unwise on an internet accessible server)...
  You need to do a few things:
  1) have your frontend (nginx) redirect to http.... (if it is wise...)
  2) still add a header in the proxy request to the fpm backend to indicate the original access WAS https... (so the WP code doesn't generate a redirect loop).

Please indicat your choice.
Add this to a request:
    if ( $http_x_forwarded_proto != 'http' || $ssl_protocol != "" ) {
        return 301 http://$host$request_uri ;
    }

Open in new window

The problem with the above code might be with https being enforced though some headers on the WP part.
check for the HTST header: Strict-Transport-Security

2)
The proxypass sections should also have to make the backend think of it being behind https...
  proxy_set_header X-Forwarded-Proto https: ;

Author

Commented:
my choice is #1 but I tried Let's Encrypt and it indicated since no dns was set it failed.

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.theherbsplace.com
Waiting for verification...
Challenge failed for domain www.theherbsplace.com
http-01 challenge for www.theherbsplace.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.theherbsplace.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.theherbsplace.com/.well-known/acme-challenge/tt22clvwshqzuhg1krrvysfxepzv94khlpcsiitmpzk
   [ipv6 ip]: "<!DOCTYPE
   html>\n<!--[if IE 9 ]> <html lang=\"en-US\" class=\"ie9
   loading-site no-js\"> <![endif]-->\n<!--[if IE 8 ]> <html
   lang=\"en-U"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Open in new window

nociSoftware Engineer
Distinguished Expert 2018

Commented:
So the DNS does exist (ip = www.theherbsplace.com.  5       IN      CNAME   theherbsplace.com.
theherbsplace.com.      300     IN      A       54.86.81.94)

Maybe you should not forward port 80 to WP and only allow https to go there.
For port 80:
 In the case of a URI the contains /.well-known/challenge/... then just forward to some location where certbot leaves the challenge.
 and redirect to https otherwise.

Probably using the nginx plugin is the most easy way to establish this.
If push comes to shove you can also completly ignore  port 80 and use the mini servers within certbot to get the letsencrypt certificate.


This is shown:
$ curl -v http://www.theherbsplace.com
*   Trying 54.86.81.94:80...
* TCP_NODELAY set
* Connected to www.theherbsplace.com (54.86.81.94) port 80 (#0)
> GET / HTTP/1.1
> Host: www.theherbsplace.com
> User-Agent: curl/7.65.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 05 Aug 2019 20:38:25 GMT
< Server: Apache/2.4.39 () OpenSSL/1.0.2k-fips
< X-Powered-By: PHP/7.2.19
< Expires: Mon, 05 Aug 2019 21:38:26 GMT
< Cache-Control: max-age=3600
< X-Redirect-By: WordPress
< Content-Security-Policy: upgrade-insecure-requests;
< Upgrade: h2,h2c
< Connection: Upgrade
< Location: https://www.theherbsplace.com/
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host www.theherbsplace.com left intact

Open in new window

Author

Commented:
this is a development site that shares the same name as an actual working site https://www.theherbsplace.com

to set up nginx I was told by AWS that I couldn't access it by the ip number but it had to be a domain name.  So, when I want to access the development site I have to enable the ip number in the windows hosts file.

So, I am not clear how to implement your solution above given that scenario.
Software Engineer
Distinguished Expert 2018
Commented:
Why not rename the dev site to dev.theherbsplace.com? then they can both be accessible..

For a web client you can add an entry to a hosts file or private local DNS (connecting to the dev site in stead of the prod). with the same name, that won't work for letsencrypt though.

otoh if you use the certificate on the production site, you should be able to use the certificate also on the dev site. (as a certificate is normally only name bound).

The way it works is:
The browser want to access sitex.example.com, so it does a DNS lookup for the IP address and then connects to the system indicated by the IP address.
then it gets the SSL certificate which indicates the server as sitex.example.com ... and if the CA is trusted  the browser will continue the connection and send the request having a header: "Host: sitex.example.com"   this is the header the webserver uses to select the right backend part.

With SSL(TLS 1+)  there is a method called SNI where the client also sends the hostname in cleartext so the right certificate can be selected. It does leak the hostname though.
David FavorLinux/LXD/WordPress/Hosting Savant
Distinguished Expert 2018

Commented:
Before you can even start best do this.

1) Change all 301s to 302s.

2) Forcibly remove all cached images + files.

Since you're using a 301 in your .htaccess file (a horrible choice in almost every case), it's highly likely you've ended up with a cached HTTP -> HTTPS upgrade in your browser cache.

By definition (in all major browsers) 301 redirects have infinite expiry time, so they never expire.

Clear your cache first. Then restart your debugging process.
David FavorLinux/LXD/WordPress/Hosting Savant
Distinguished Expert 2018

Commented:
Aside: Very shortly all major browsers will being reporting HTTP sites with the same message which indicates the site is hosting Malware.

This is because every HTTP site is 100% suspicious because the HTTP protocol is trivial to hack + inject whatever the hacker likes.

If your site is a real site, meaning you'd like visitors to see content rather than the dreaded "Abandon hope, all ye who enter here." type messages... then you'll force upgrade HTTP -> HTTPS.

Author

Commented:
I like your idea of changing the name.  However, I went into the hosts file and changed it to dev.theherbsplace.com and changed the conf file server name to dev.theherbsplace.com but now it immediately opens up the production site.  I also changed the 2 DB entries but it still won't open up the development dashboard.

Any thoughts?

Author

Commented:
I went ahead and changed the name to www.devsite.com.  I can get the login screen but it never moves from the screen where I input the username and password.  It accepts my entry and never says anything is wrong.

I have looked in the logs and nothing changes when I use tail -f

Author

Commented:
Thanks for the help.  I purchased a domain name and used let's encrypt.
David FavorLinux/LXD/WordPress/Hosting Savant
Distinguished Expert 2018

Commented:
I like your idea of changing the name.  However, I went into the hosts file and changed it to dev.theherbsplace.com and changed the conf file server name to dev.theherbsplace.com but now it immediately opens up the production site.  I also changed the 2 DB entries but it still won't open up the development dashboard.

Any thoughts?

This is because, you simply can't do this.

WordPress sites (looks like you're running WordPress) require using a tool like wp-cli to walk every row of every table, changing all occurrences of a site name stored as a simple string + also stored as a serialized string.

To recover your site at this point will be easiest if you run wp-cli.

The other option is to change the siteurl + home options back to the old value, then make a backup with a plugin like Duplicator, then restore the backup, allow the backup restoration process to rewrite all simple + serialized data (which it does by design).

If you get stumped, open another question about this problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial