如何禁用 HTTP 严格传输安全?
[英]How to disable HTTP Strict Transport Security?
问题描述
I had a Rails application with config.force_ssl = true , but now I dont want SSL encryption, but my app is still redirecting to https.
我有一个带有config.force_ssl = true的 Rails 应用程序,但现在我不想要 SSL 加密,但我的应用程序仍在重定向到 https。 I read this is a HTTP Strict Transport Security problem on Apache.我读到这是 Apache 上的 HTTP 严格传输安全问题。 How can I disable it?我怎样才能禁用它?
5 个解决方案
解决方案1
74 已采纳 2012-05-17 09:20:52
It's not a problem with Apache, but with the fact that Rails sends an HSTS header.这不是 Apache 的问题,而是 Rails 发送 HSTS 标头的事实。
In Chrome, you can clear the HSTS state by going into about:net-internals , as described in ImperialViolet: HSTS UI in Chrome .在 Chrome 中,您可以通过进入about:net-internals来清除 HSTS 状态,如ImperialViolet: HSTS UI in Chrome 中所述。 You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.您可能还需要清除缓存,因为config.force_ssl = true也使用 301(永久)重定向。
In addition, according to this answer , you could also make your application send an STS header with max-age=0.此外,根据这个答案,您还可以让您的应用程序发送一个 max-age=0 的 STS 标头。 In your controller:在您的控制器中:
response.headers["Strict-Transport-Security"] = 'max-age=0'
解决方案2
18 2013-09-21 14:28:14
Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache.只是想指出@Bruno 的回答和@JoeVanDyk 的建议是正确的,并且可以应用于 Rails/Apache 的上下文之外。 I'm using PHP and Nginx.我正在使用 PHP 和 Nginx。 PHP has nothing to do with it in my case, but here's the steps with Nginx:在我的情况下,PHP 与它无关,但这是 Nginx 的步骤:
//sorry here's the nginx.conf part first, can't figure out how to mix multi-line
//code with an ordered list
server {
#...
#change:
# add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";
#to:
add_header Strict-Transport-Security "max-age=0;";
#...
}
clear your "browser history".
清除您的“浏览器历史记录”。 To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).为了澄清@JoeVanDyk 的建议,我认为您需要清除“浏览历史记录”,因为清除缓存对我不起作用(在 Chrome/Firefox 上测试,如果您了解更多,请添加评论)。nginx.conf file (see code above)
nginx.conf 文件(见上面的代码)restart server
重启服务器root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart。
After this, you can revert the nginx add_header Strict.. command to what you previously had.在此之后,您可以将 nginx add_header Strict..命令恢复为您之前拥有的命令。 Just make sure you repeat steps 1-3 again.只需确保再次重复步骤 1-3。
解决方案3
2 2017-11-20 02:31:17
I found I couldn't delete an HSTS entry in Chrome as I was using an IP address for development.我发现我无法在 Chrome 中删除 HSTS 条目,因为我使用 IP 地址进行开发。 I couldn't seem to get chrome://net-internals/#hsts to delete the entry.我似乎无法让chrome://net-internals/#hsts删除条目。 I found that Chrome stores the entries in ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity so I just deleted the file.我发现 Chrome 将条目存储在 ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity 中,所以我刚刚删除了该文件。 It of course removes all HSTS requests, but I suspect they will be rebuilt over time.它当然会删除所有 HSTS 请求,但我怀疑它们会随着时间的推移而重建。
解决方案4
1 2015-02-18 21:04:44
Figured id offer a bit of thought on this.图 id 对此提供了一些想法。 Setting cache time to 0 is a best bet and if you turn it off you need to leave it at 0 for weeks to clear out clients browsers.将缓存时间设置为 0 是最好的选择,如果您将其关闭,则需要将其保留为 0 数周以清除客户端浏览器。 If you just need to clear HSTS in chrome (for your own browser) you can use chrome://net-internals/#hsts in the address bar to clear the cache for your site at your specific browser.如果您只需要清除 chrome 中的 HSTS(对于您自己的浏览器),您可以在地址栏中使用chrome://net-internals/#hsts在您的特定浏览器中清除您网站的缓存。 Combined with the below "doorway" it becomes useful.结合下面的“门口”,它变得有用。
You can set temporary HSTS modes by setting/spoofing a custom header => key.您可以通过设置/欺骗自定义标头 => 键来设置临时 HSTS 模式。 Basically if a special request header exists, and it matches a key, set HSTS with a cache time of whatever you need.基本上,如果存在一个特殊的请求标头,并且它与一个键匹配,则将 HSTS 设置为您需要的任何缓存时间。 This would allow you to turn on or shut off HSTS for all traffic but you.这将允许您为除您之外的所有流量打开或关闭 HSTS。 Useful for trying HSTS out before you globally enable (to make sure all assets are loading).用于在全局启用之前尝试 HSTS(以确保所有资产都在加载)。 Also useful if you wanna temporarily clear out client cache while something is repaired (leaving you room for test).如果您想在修复某些内容时暂时清除客户端缓存(留出测试空间),这也很有用。
解决方案5
0 2020-04-20 14:13:38
If you are developing an application/site and for any reason you choose to use the domain .dev or .app for it and if you are using Chrome, Edge (Chromium based) as your browser you won't be able to get rid of this error because Google bought TLD .dev and .app and force the use of HTTPS for those domain.如果您正在开发应用程序/站点,并且出于任何原因选择使用域 .dev 或 .app 作为它,并且如果您使用 Chrome、Edge(基于 Chromium)作为浏览器,您将无法摆脱这个错误是因为谷歌购买了 TLD .dev 和 .app 并强制对这些域使用 HTTPS。
The "so called" workaround here is that you should change .dev or .app for something else, let say .local.这里“所谓的”解决方法是您应该将 .dev 或 .app 更改为其他内容,例如 .local。
Hope this helps, somehow.希望这有帮助,不知何故。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.