[Tfug] chrome's fixation with ssl

Ammon Lauritzen allaryin at gmail.com
Fri Dec 4 14:49:57 MST 2015

So… I played with LetsEncrypt on one of my servers yesterday since they finally opened the floodgates. I’m happy with the end result, even if the tool needs a whole lot of work.

However, I encountered something really annoying. The only real service running on the domain I started encrypting is a standalone daemon on a non-standard port that displays some diagnostic data for me via http. Now, Chrome forces https on this site as well.

I’ve gotten used to it turning port 80 into 443 once it knows that a domain can ssl… but I’ve never seen it commandeer a non-standard port before.

For reasons that don’t matter, I don’t want to stick the daemon behind nginx. I would prefer to leave it as plain old http on port not-80.

I AM specifying the full standard HTST header in nginx… but does anyone know if the spec actually defines this behavior, or if Chrome is just going overboard? IIRC, it will remember and do 80->443 even if the server doesn’t specify Strict-Transport-Security.

Is anyone aware of a way to tell it to chill out on this service, or am I going to have to fight with it?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20151204/b1d9c72c/attachment.asc>

More information about the tfug mailing list