Need immediate help for site for http site loading as https:

Question

Recently my website, which so far is not secure "just http:" fails with multiple problems when it is wrongly linked as https:, which it is not. Unfortunately That will happen regardless of what I want, whenever sites are linked in google, facebook, or just about anywhere now. In the past I successfully solved this problem by adding this JavaScript near the top of my pages...

<script>
// redirect if wrongly linked via https.
if(window.location.href.indexOf("https") >= 0) {
  var loc = window.location.href;
  var newloc = loc.replace("https:","http:"); 
  window.location = newloc;
  }
</script>

Well that no longer works. Is seems that all browsers now have the following behavior: If you link a site vai https://, any attempts to load it via http://, even explicitly typing that on the browser URL line, will fail. the browser will continually change it to https:. So what does this to to my page? It causes it to endlessly reload. Obviously i can remove the script above, but then I may as well shut down the site, because almost nothing will work correctly. No cookies, no graphics, nothing works right. Not even the page icons.

So I also tried the reverse of a .htaccess file solution, usually used to force https. My version looks like this...

RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ http://exampledomain/$1 [R=301,L]

Obviously 'exampledomain' is my domain. I don't know if its doing anything unexpected, but it certainly is not helping.

So what can I do? i realize the long term solution is to become https. That suggestion doesn't help right now. It is a legacy website with over 100 pages. And the way things stand right now, once anyone goes there from an incorrect https: link, they will never get to see any of it. Is there anything i can do for now?

EDIT...

Is it possible the server is forcing this on me? I found this article, and have asked my hosting support if anything can be done. If not, it would seem that the hosting company sold me web space, and then made it impossible for people to visit, if I don't upgrade. Is there any test i can do to see if this policy is being enforced by my hosting company?

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

EDIT: I finally got my site back online. I'm not "answering" my own question, because I strongly suspect even now my answer is incomplete. But two things were done:

1. In my main (document root level), the tech support added these lines. While the lower 3 are similar to something I'd tried (and one of you suggested), without that top line (apparently blocking HSTS), an infinite loop was being generated, when a browser was insisting on https.

   Header always unset Strict-Transport-Security
   RewriteEngine On
   RewriteCond %{HTTPS} on
   RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   

2. But why were MY browsers "insisting" on HTTPS? Tech support had already verified for themselves that a loop condition of infinite redirects was no longer happening, but I still could not reach my pages from home, in either my firefox or chrome browsers, on either my older or newer machine. But oddly, IE and Edge did work, which led me to realize the difference... I don't use those browsers often (except to check compatibility), so the difference was this: Despite suggestions of clearing cache and cookies, apparently none of those options really flush the history. And if an HTTPS was in recent history, the browsers seem to automatically revert to that one. For that i found the answers (at least for those browsers) in the article below. Once history was truly cleared, there was no longer a problem.

https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

I suspect I haven't seen the last of this problem, and yes... eventually i WILL make the jump to HTTPS. I just don't like needing to do so under forced pressure, because of an internal server policy that changed.

Answer 1

No... I don't have an SSL certificate.

You need an SSL cert. If you don't have an SSL cert installed that covers the requested hostname then either:

• The server simply fails to connect as it's not listening on port 443. (Although this doesn't seem to be the case.)

OR,

• There is an SSL cert installed on the server and the server is responding on port 443, but the cert is for a different domain/hostname so the browser issues warnings when attempting to connect. The user "should" not accept this cert, in which case they never reach your site.

Is seems that all browsers now have the following behavior: If you link a site vai https://, any attempts to load it via http://, even explicitly typing that on the browser URL line, will fail. the browser will continually change it to https:

That's not true, unless...

• You have previously implemented an HTTP to HTTPS 301 redirect and you are seeing a cached response/redirect.

OR,

• You have previously implemented HSTS. In which case the browser (after initially visiting HTTPS) will always request HTTPS. This is not reversible, until the max-age time expires after the user has visited your "HTTPS" site. But HSTS is quite a deliberate action - this really shouldn't be something that can be implemented "accidentally". (I would also be surprised that the browser would honour the HSTS header if the SLL cert wasn't entirely valid?!)

  Look for a Strict-Transport-Security HTTP response header when accessing your site over HTTPS. This indicates that HSTS has been "implemented" on your site.

---

UPDATE:

1. In my main (document root level), the tech support added these lines....

   Header always unset Strict-Transport-Security
   RewriteEngine On
   RewriteCond %{HTTPS} on
   RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   

If you are having to explicitly unset the STS header then it suggests "something else" is already setting it!? This header is not set by default, so it would be a good idea to find out where/what is setting it in the first place. (The web host themselves should never set a header like this.)

Aside: Minor optimisation by changing (.*) (the RewriteRule pattern) with just ^. Since you don't need to match or capture the URL-path, it just needs to be successful (since you are using REQUEST_URI) in the substitution string.

2. But why were MY browsers "insisting" on HTTPS? ... But oddly, IE and Edge did work, which led me to realize the difference... I don't use those browsers often (except to check compatibility), so the difference was this: Despite suggestions of clearing cache and cookies, apparently none of those options really flush the history. And if an HTTPS was in recent history, the browsers seem to automatically revert to that one. .... Once history was truly cleared, there was no longer a problem.

Browser "history" itself would not cause this problem, except that the browser address bar will tend to (sometimes annoyingly) auto-complete to URLs recently visited. But this wouldn't cause a redirect-loop.

So, from this, is the conclusion that it was an HSTS issue? Did your domain appear in the chrome://net-internals/#hsts list for HSTS-enabled domains? However, this won't solve the problem for any other users who have recently visited your site over HTTPS. They will still be forced to HTTPS until the period determined by the max-age argument from when they last visited passes.

To clarify:

• Your site works perfectly OK for me... redirects back to HTTP.
• You do already have valid SSL certs installed for both your main domain and subdomain! If you didn't then you would see a browser warning before reaching your site over HTTPS and the browser would fail to connect (no redirect would occur) - as mentioned above.
• You have quite a few HTTPS URLs indexed in Google. Google will tend to favour HTTPS over HTTP if it is available. A JavaScript "redirect" as you were doing initially wouldn't necessarily dissuade Google. Incidentally, the JS redirect only redirects the main page on which the script runs. Any static resources (images, JS, CSS, etc) that are requested over HTTPS would not be redirected. A JS-redirect is not strictly a redirect - to the user-agent/search engine it's just another 200 OK response, not a 3xx response.

Answer 2

To redirect your website from HTTPS to HTTP, add the following rule in your website’s .htaccess file:

# Redirect HTTPS to HTTP
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]