1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

From HTTPS to HTTP - Disabling SSL

Discussion in 'Server Configuration and Hosting' started by Joe Link, Jul 15, 2015.

  1. Joe Link

    Joe Link Well-Known Member

    Anyone else here go to SSL then switch back?
    Marcus likes this.
  2. WSWD

    WSWD Well-Known Member

    Why would you?
    Sim likes this.
  3. Puntocom

    Puntocom Well-Known Member

    I changed the listen parameter to 80 and I added this extra block for the nginx configuration:
    # HTTPS server
    server {
      listen  443 ssl;
      server_name  example.com;
      return 301 http://example.com$request_uri;
      ssl  on;
      ssl_certificate  /etc/ssl/example.crt;
      ssl_certificate_key  /etc/ssl/private/example.key;
      ssl_session_timeout  5m;
      ssl_session_cache  shared:SSL:1m;
      ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
      ssl_prefer_server_ciphers  on;
    Then restart the nginx server.
    Marcus likes this.
  4. RoldanLT

    RoldanLT Well-Known Member

    Me why?
    I did that thing many times :).
    With proper redirects.
  5. Moshe1010

    Moshe1010 Well-Known Member

    Unless there is a very good reason for that, this is pure Google abuse.
  6. Mouth

    Mouth Well-Known Member

    If you had STS active, make sure you deal with that before removing SSL
    MattW likes this.
  7. MattW

    MattW Well-Known Member

    Yes, and as @Mouth has indicated, if you are using STS, make sure you set that to 0 a few days prior to the switch back. I had issues with Cloudflare caching that value, and not being able to get around it.

    I personally removed SSL due to the hit in my adsense revenue.
  8. Tracy Perry

    Tracy Perry Well-Known Member

    I guess that would be important if one actually had revenue coming in on it. :D

    That's the biggest issue I have heard with it, but last I read, I thought they were pushing more ad content via SSL now?
  9. Mouth

    Mouth Well-Known Member

    I would suggest more, at least as long as the STS timeout is for.
  10. RoldanLT

    RoldanLT Well-Known Member

    No Need.
    For Nginx:
  11. Mouth

    Mouth Well-Known Member

    But if a user/visitor hasn't come to your site since the previous max-age and you drop https, then their browser will fail to connect to http and that user will either have to research how to remove the site STS restriction from their browser or wait until the timeout before they can connect to your site again.
  12. RoldanLT

    RoldanLT Well-Known Member

    Already deactivate HSTS value = disabled.
    RFC 6797 - HTTP Strict Transport Security (HSTS)
  13. Mouth

    Mouth Well-Known Member

  14. lit

    lit Member


    Google LOVES SSL
  15. MattW

    MattW Well-Known Member

    A lot of people set this to 365 days :-s

    I only really had an issue with Cloudflare and this value. They kept forcing people to https, and as soon as I moved DNS away from them, everything worked as expected on http
  16. Mouth

    Mouth Well-Known Member

    Yes, so if you have HTTPS active with STS of 365 days and then decided to remove HTTPS and just have HTTP, then you should ensure that you keep HTTPS active, with an STS max-age of zero, and redirecting to HTTP for up to 365 days. Otherwise, if you stop HTTPS after, say, 30 days then any browser/user that last visted your site 30+ days ago will not have picked-up the new STS setting and will refuse to connect to your HTTP site.
    They'll have to know how to go into their browser advanced settings and remove the STS to enable them to connect to your HTTP site, or wait up to 11 months until they can connect!
  17. HWS

    HWS Well-Known Member

    It is always a pain to switch from HTTPS to HTTP. We also had to do it because of Adsense and other ad network problems.

    Time is not ready for full SSL with ad monetized forums, think twice if you plan to switch!

    Beside of having the proper redirect HTTPS > HTTP in place for a very long time (even forever if there are external links to your forum you care about) you also have to renew the SSL certificate each year even if you no longer use HTTPS, because the redirects will not work if the cert is invalid.
    Webby, TheLaw, Puntocom and 2 others like this.
  18. Webby

    Webby Member

    There are more ads available for regular http connections and https slows down the site a little.


    @Mike @Chris D

    I talked to my host about disabling ssl and they said that it is done vie my software (xenforo), how can I do this?

    I currently have CPanel redirecting to an https page which is my main forum page.
  19. Brogan

    Brogan XenForo Moderator Staff Member

    XF doesn't control whether your site is loaded over HTTPS or not.

    The only thing you have to do in XF if switching back to HTTP is to update the Board URL.

    You will also need to remove any rules you added to the .htaccess file when you implemented HTTPS.
    Webby likes this.
  20. WSWD

    WSWD Well-Known Member

    Very true with the ads. The additional load time is negligible on any decent server these days. You're talking on the magnitude of a few milliseconds at most.

Share This Page