Simple webserver without HTTPS no longer possible?

GotNoRice

[H]F Junkie
Joined
Jul 11, 2001
Messages
11,962
OK, so long story short, for 15+ years I've run my own simple webserver using my own internet connection via IIS at gotnorice.com. No website, I just use it mainly for hosting pictures that I post on forums as well as when I need to send files to someone, I can just toss it on there and send someone a link.

Example, a picture of my dog:
http://gotnorice.com/Tyson.jpg

I've never had to do anything special, other than occasionally update the DNS info with my domain registrar if the IP of my internet connection changed for some reason.

But now it seems like there is an obsessive push for HTTPS. On many browsers now, if I send someone a link such as the example picture above, it tries to automatically change it from http://gotnorice.com/Tyson.jpg to https://gotnorice.com/Tyson.jpg, at which point it fails (as I do not have it configured for HTTPS) and the picture/file does not load/download.

I've never bothered with HTTPS because I simply don't need it. I don't host anything important. I don't need random internet pictures that I post on forums, etc, to be encrypted.

So what are my options going forward? Is it no longer practical to simply use HTTP instead of HTTPS? If I absolutely have to configure the server to work with HTTPS, can anyone recommend a simple guide for getting this done on IIS using Windows Server 2019?
 
Are you certain there's not something installed on the client or server that would be causing the redirects, such as HTTPS Everywhere or a server-side rule?

Setting up a cert with Let's Encrypt should be fairly easy (and free). I've not tried it myself, but on a quick read-through this guide looks reasonable.

It's not a bad idea to support HTTPS anyways. If you're posting to forums that support HTTPS then only having the images available via HTTP can cause issues with mixed content, Especially so as implementation of a content security policy becomes more of a thing.
 
Setting up HTTPS isn't too bad, the only real downside is that you have to renew the certificate every three months (which can be automated). I've not done it for IIS but it should be a low level of complexity these days. I use my website for very similar operations.
 
I think its something on your client's side. I just visited your link - and that is a beautiful dog. No HTTPS required...
 
Setting up HTTPS isn't too bad, the only real downside is that you have to renew the certificate every three months (which can be automated). I've not done it for IIS but it should be a low level of complexity these days. I use my website for very similar operations.
very simple to do and can even schedule to run the task to auto renew :)

https://weblog.west-wind.com/posts/...n-windows#the-easy-way-letsencrypt-win-simple

For the record I opened your test link no problems. Win 10 1909 and Latest Chrome Browser.
 
Got to your link ok, win 10 & firefox. Sounds like a browser issue, they do have a push to https by default, maybe something in your setup? At worst your browser should just complain about visiting an unsecure site.
 
OK, so seems like maybe it wasn't as big of an issue as I thought. I did have a few people from remote locations that said they were having trouble, but part of the problem may have been on my side also. Since I'm on the same local network as my webserver, it acts weird if I try to access internet links directed to my external IP. So on my main PC, I have an entry in my hosts file to redirect GotNoRice.com to the local IP of my web server, so I can see my own images when I post them on forums, etc. It seems that the latest version of Firefox enabled some kind of secure DNS that even bypasses the hosts file. Once I disabled the new firefox secure DNS, it seems to be loading okay for me again as well. I'm glad that everything seems to be working okay for now. Thanks everyone, I appreciate the help.
 
It seems that the latest version of Firefox enabled some kind of secure DNS that even bypasses the hosts file. Once I disabled the new firefox secure DNS, it seems to be loading okay for me again as well.
Generally these functions are implemented for a form of internet 'herd immunity' to head off mass DNS attacks, so perhaps it might be worth it to implement TLS on your site so that you don't have to disable security features?
 
Site rendered fine for me. Firefox ESR 68.8.0

BUT - you probably want to start planning on offering/switching to HTTPS at some point. Today https is encouraged but not required. At some point that will change to required unless you really want to argue with your browser/security software. Think of what has happened to Flash over the last many years. Better to be able to test and swap over on your schedule then suddenly finding your site is unreachable for most folks after some future update.
 
Works fine on Ubuntu 20.04LTS w/ both Firefox 76.0.1 and Chrome 81.0.4044.138
 
Back
Top