Disabling forced SSL

[mojodna]

When creating new sites with netlify sites:create, automatic SSL redirects are enabled. For cross-origin reasons, I need to deploy a site using HTTP (not HTTPS) but can't figure out how to do this / change the setting in either the web UI or the CLI. How do I do this?

Thanks!

[fool]

We do not intend to support this use case anymore, @mojodna . We will be forcing ALL traffic to HTTPS in the near term future and we no longer allow disabling it on sites that have been created lately.

[mojodna]

Ah, ok. Thanks.

[rsp]

@fool It seems that it is not possible to disable HTTPS and/or disable forcing the redirect to HTTPS even for sites that were created long time ago, is that currently disabled for all sites or only in the UI?

Will there be any plans in the future to be able to serve both HTTP and HTTPS with no redirects? I am concerned that some use cases like very simple IoT devices that cannot support SSL and some cases where I implement simple HTTP protocol for educational reasons will not be able to use Netlify at all.

[fool]

We have no plans to support non-SSL traffic in the future. If your devices don't support SSL, they are leaving you open to attack, and while I am sure there are devices like that - you won't be able to use them directly with our service.

…

On Mon, Nov 26, 2018 at 3:19 AM Rafał Pocztarski ***@***.***> wrote: @fool <https://github.com/fool> It seems that it is not possible to disable HTTPS and/or disable forcing the redirect to HTTPS even for sites that were created long time ago, is that currently disabled for all sites or only in the UI? Will there be any plans in the future to be able to serve both HTTP and HTTPS with no redirects? I am concerned that some use cases like very simple IoT devices that cannot support SSL and some cases where I implement simple HTTP protocol for educational reasons will not be able to use Netlify at all. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#158 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN-oGWBXK4qpwf6FI9La47RTx3nElicks5uy85XgaJpZM4XvLXM> .

[douglasjunior]

Sometimes, when we are in DEV the backend is not yet in HTTPS, sometimes the backend does not even have a domain.

This prevents us from using Netlify due to issue with CORS.

[elie222]

I agree in production this is important. Forcing HTTPS is annoying for development though.

[elie222]

For others running into this issue, consider moving to Surge:
https://surge.sh/help/using-https-by-default

[ChristopherDosin]

I aggree - For the dev mode SSL can be really annoying. +1 to disable SSL in dev mode.

[itsmelion]

Not just annoying, but some OG services are known to not handle well SSL.
like: https://stackoverflow.com/questions/8855361/fb-opengraph-ogimage-not-pulling-images-possibly-https
Im hacking workarounds to ensure my OG:IMAGE to fetched properly.
(not force https on that route, or host somewherelse without SSL)

[elie222]

This is from 2011-12. Still an issue?

…

On Tue, 9 Jul 2019 at 21:16, Christhopher Lion ***@***.***> wrote: Not just annoying, but some OG services are known to not handle well SSL. like: https://stackoverflow.com/questions/8855361/fb-opengraph-ogimage-not-pulling-images-possibly-https Im hacking workarounds to prevent my OG:IMAGE to fetched properly. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#158?email_source=notifications&email_token=AAXSQXYKJ4ESSMOTZ2HKIRTP6TIX3A5CNFSM4F54WXGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZRCXTY#issuecomment-509750223>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAXSQXY7YTWISTFX2RG2J2DP6TIX3ANCNFSM4F54WXGA> .

[rdewolff]

Are you handling properly the case when the deployed site has already HTTPS?

[gcubeda]

I think you should let people do what they want to do with their sites created on the platform. It's their responsibility to use the service in a proper manner. In my case I need to disable it because I am hosting the backend in another service and I don't want to pay to get their SSL addon for my development project. I love the offer of free HTTPS but if it's forced then it's not "free" anymore

[fool]

Thanks for the feedback, @cub33 ! Seems like another service might work better for you. Netlify is pretty firm in our commitment to move all traffic to SSL.

You can of course always link to insecure resources on another service from your netlify site (though the browser experience for this is pretty poor, because the browser vendors agree with our push). Further, our proxying feature allows you to connect to HTTP-only resources (and sends the response to the visitor as HTTPS from our CDN edge) in case your backend doesn't support that option for whatever reason.

[Ericnr]

@fool Could you give an example of how to achieve that via the proxying feature? My backend is still in development and doesn't have SSL certificate yet and this would be very much useful!

[fool]

sure thing @Ericnr .

Suppose your API is at http://endpoint.com/api/* and you want to serve it from https://yournetlifysite.com/api/*. Then, in _redirects as deployed on your netlify site, you could use this pattern:

/api/* http://endpoint.com/api/:splat 200!

A visitor using Chrome connects to netlify for https://yournetlifysite.com/api/yourcall, which forces SSL. Netlify's CDN node says "oh I don't have that content, better (reverse) proxy the call to http://endpoint.com/api/yourcall" and literally forwards the browser request there (it does modify a couple of HTTP request headers while it does so, such as Host and potentially X-Forwarded-For, but otherwise, your endpoint gets the visitor's Chrome User-agent and Accept-Language and uses the same HTTP method (e.g. POST) and payload (if any). Your endpoint says "oh cool, Chrome, here's your response" and sends it back to our CDN node via HTTP. We then forward the response (again with all headers intact, HTTP response code, etc) via https to the browser.

The browser/visitor thinks the whole transaction was secure, and you don't have to "worry about" CORS on your endpoint. This of course is hiding the total insecurity with which you've forwarded their request so allow me to restate the obvious: DON'T send any actually sensitive data this way!

[avinashgardas]

Sometimes, when we are in DEV the backend is not yet in HTTPS, sometimes the backend does not even have a domain.

This prevents us from using Netlify due to issue with CORS.

Hmm..

[mossen]

I tried following but didn't work for me:
/prediction http://18....205.5/prediction:splat 200!

I had to have all these to get some result:

/prediction http://18....205.5/prediction
/prediction http://18....205.5/prediction:splat 200!
/prediction/* http://18....205.5/prediction:splat 200!
/prediction/* http://18....205.5/prediction/:splat 200!

Result:
Mixed Content: The page at 'https://.....-page.netlify.app/' was loaded over HTTPS, but requested an insecure resource 'http://18.....205.5/prediction'. This request has been blocked; the content must be served over HTTPS.

[UddhavSJadhav]

For me API URL was http://api.com/api/:whatever-my-routes

frontend

const baseUrl = "/apiredirect/api"
await fetch(baseUrl +"/:whatever-my-routes" )

_redirects file changes.

/apiredirect/* http://api.com/:splat 200
/* /index.html 200

solved the issue👍

below code didn't work

/* /index.html 200
/apiredirect/* http://api.com/:splat 200