Amazon AWS 307 response and permanent redirect to HTTPS

Question

I have a domain from GoDaddy, with AWS Route53 for managing DNS records. Route53 sends request to a load-balancer.

For webserver I have a load-balancer that routes requests to a single (for now) EC2 instance and the nginx in EC2 instance get the request and sends a response to the client.

The problem is that when I use http:// to perform a request, AWS redirects requests to the https:// version of the domain with 307 Internal Redirect response. The response object has Non-Authoritative-Reason: HSTS header as well.

What's the problem and which component is redirect requests?

Answer 1

It's neither component.

This isn't anything from AWS... it's the browser. It's an internal redirect the browser is generating, related to HSTS... HTTP Strict Transport Security.

If you aren't doing it now, then presumably, in the past, you've generated a Strict-Transport-Security: header in responses from this domain, and the browser has remembered this fact, preventing you from accessing the site insecurely, as it is intended to do.

Answer 2

I know I'm lat eto the party but I wanted to post the actual full solution this this inspired from this post on the Wordpress forums.

Just removing the HSTS header from the server will not solve it because the browser cached the HSTS response and will continue triggering https:// for that website regardless. In Chrome/Chromium you can delete the website from about://net-internals/#hsts but that's hardly a solution for your visitors as you have no idea how many already cached it as HSTS.

On the server side, you need to set max-age=0 which will (as per the RFC) ask the browser to stop considering that host as HSTS.

In Apache, do the following:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0"
</IfModule>

and make sure you enabled the headers module (you can use a2enmod headers on Ubuntu/Debian/Mint).