Un naufragio personal

Ángel Ortega

Plaintext HTTP in a Modern World

An interesting solution by Joshua Stein that implements HTTPS redirections only for modern browsers while still serving plaintext HTTP for older ones. Here is an nginx configuration snippet:

server {
    server_name example.com;
    listen *:80;
    listen *:443 ssl http2;

    set $need_http_upgrade "$https$http_upgrade_insecure_requests";
    location / {
        if ($need_http_upgrade = "1") {
            add_header Vary Upgrade-Insecure-Requests;
            return 301 https://$host$request_uri;
        }
     }

     ...
}

The Upgrade-Insecure-Requests HTTP header (with a value of 1) is sent by modern browsers when they connect through non-encrypted connections.

https://jcs.org/2021/01/06/plaintext