{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 女痞 的问题《Disabling SSL for a Heroku App》','https://www.manongdao.com/q-304255.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I recently changed the domain for a Rails app I have running on Heroku. I redirected the original to the new one, and for the last couple of months have been running SSL on both. I tried to remove SSL from the original domain since all it does is redirect.
I did everything I thought I should:
- Turned off SSL in the app with
config.force_ssl = falsein production.rb - Changed DNS ALIAS and CNAME to point to "myapp.herokuapp.com"
- Removed the SSL endpoint and certs
If I go to myapp.herokuapp.com, everything is fine, but if I go to myapp.com, or www.myapp.com it automatically tries to take me to the secure version of the site, https://myapp.com, and I get the standard security error warning from my browser.
Am I missing something? Is it a caching issue? Does it just take time for the DNS change to kick in? I've tried on a few machines/browsers, and the issue is consistent across all of them.
Worst case, I can definitely add the SSL Endpoint back on, but it seems like overkill.
In addition to what Jan said, here is what I did to do the trick.
In application_controller.rb :
In production.rb
Clear the cache of your web browser and that's it !
config.force_ssl = trueenablesStrict Transport Securityheader(HSTS) withmax-ageof one year. See this issue. Such header forces browsers that support it to contact the server over HTTPS for one year. This is to prevent attacks in which man in a middle downgrades HTTPS connection to HTTP.Moving out of HTTPS for production sites that were served with
HSTSis not very easy. You should keep your site served over HTTPS and returnHSTSheader withmax-age=0to reset the one year setting. The problem is to decide for how long you need to keep HTTPS. To be absolutely sure that all clients are switched, you should do it for one year. You may decide to do it for a shorter period, but at the risk of breaking the site for clients that are visiting infrequently.