Site not forcing HTTPS only for certain users/networks

ipdct-com.netlify.app

ipdct.com

The site is forcing HTTPS for everyone except for a few random users on xfinity networks or frontier where it is showing http. Everything else is forcing HTTPS

We have 160+ sites deployed on netlify and haven’t faced this issue except on this one domain.

Any ideas?

Hi, @tommy1. Can you make a HAR recording of the issue occurring and post it here?

Looking at DNS Checker @tommy1 DNS records for ipdct.com are worldnic.com not nsone.net (including that closest to me.)

If you’ve recently changed DNS records, you may need to wait a little longer for full propagation.

Thank you for the response! Let me get one

Hey @luke here’s the full .har in txt format

{
“log”: {
“version”: “1.2”,
“creator”: {
“name”: “WebInspector”,
“version”: “537.36”
},
“pages”: ,
“entries”: [
{
“_initiator”: {
“type”: “other”
},
“_priority”: “VeryHigh”,
“_resourceType”: “document”,
“cache”: {},
“request”: {
“method”: “GET”,
“url”: “https://ipdct.com/”,
“httpVersion”: “”,
“headers”: [
{
“name”: “DNT”,
“value”: “1”
},
{
“name”: “Upgrade-Insecure-Requests”,
“value”: “1”
},
{
“name”: “User-Agent”,
“value”: “Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36”
},
{
“name”: “sec-ch-ua”,
“value”: “"Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"”
},
{
“name”: “sec-ch-ua-mobile”,
“value”: “?1”
},
{
“name”: “sec-ch-ua-platform”,
“value”: “"Android"”
}
],
“queryString”: ,
“cookies”: ,
“headersSize”: -1,
“bodySize”: 0
},
“response”: {
“status”: 0,
“statusText”: “”,
“httpVersion”: “”,
“headers”: ,
“cookies”: ,
“content”: {
“size”: 0,
“mimeType”: “x-unknown”
},
“redirectURL”: “”,
“headersSize”: -1,
“bodySize”: -1,
“_transferSize”: 0,
“_error”: “net::ERR_CONNECTION_REFUSED”,
“_fetchedViaServiceWorker”: false
},
“serverIPAddress”: “”,
“startedDateTime”: “2024-11-05T22:44:31.576Z”,
“time”: 2051.263999994262,
“timings”: {
“blocked”: 2051.263999994262,
“dns”: -1,
“ssl”: -1,
“connect”: -1,
“send”: 0,
“wait”: 0,
“receive”: 0,
“_blocked_queueing”: -1
}
},
{
“_initiator”: {
“type”: “other”
},
“_priority”: “VeryHigh”,
“_resourceType”: “document”,
“cache”: {},
“request”: {
“method”: “GET”,
“url”: “https://ipdct.com/”,
“httpVersion”: “”,
“headers”: [
{
“name”: “DNT”,
“value”: “1”
},
{
“name”: “Upgrade-Insecure-Requests”,
“value”: “1”
},
{
“name”: “User-Agent”,
“value”: “Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36”
},
{
“name”: “sec-ch-ua”,
“value”: “"Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"”
},
{
“name”: “sec-ch-ua-mobile”,
“value”: “?1”
},
{
“name”: “sec-ch-ua-platform”,
“value”: “"Android"”
}
],
“queryString”: ,
“cookies”: ,
“headersSize”: -1,
“bodySize”: 0
},
“response”: {
“status”: 0,
“statusText”: “”,
“httpVersion”: “”,
“headers”: ,
“cookies”: ,
“content”: {
“size”: 0,
“mimeType”: “x-unknown”
},
“redirectURL”: “”,
“headersSize”: -1,
“bodySize”: -1,
“_transferSize”: 0,
“_error”: “net::ERR_ABORTED”,
“_fetchedViaServiceWorker”: false
},
“serverIPAddress”: “”,
“startedDateTime”: “2024-11-05T22:44:34.688Z”,
“time”: 2047.1790000010515,
“timings”: {
“blocked”: 2047.1790000010515,
“dns”: -1,
“ssl”: -1,
“connect”: -1,
“send”: 0,
“wait”: 0,
“receive”: 0,
“_blocked_queueing”: -1
}
},
{
“_initiator”: {
“type”: “other”
},
“_priority”: “VeryHigh”,
“_resourceType”: “document”,
“cache”: {},
“request”: {
“method”: “GET”,
“url”: “https://ipdct.com/”,
“httpVersion”: “”,
“headers”: [
{
“name”: “DNT”,
“value”: “1”
},
{
“name”: “Upgrade-Insecure-Requests”,
“value”: “1”
},
{
“name”: “User-Agent”,
“value”: “Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36”
},
{
“name”: “sec-ch-ua”,
“value”: “"Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"”
},
{
“name”: “sec-ch-ua-mobile”,
“value”: “?1”
},
{
“name”: “sec-ch-ua-platform”,
“value”: “"Android"”
}
],
“queryString”: ,
“cookies”: ,
“headersSize”: -1,
“bodySize”: 0
},
“response”: {
“status”: 0,
“statusText”: “”,
“httpVersion”: “”,
“headers”: ,
“cookies”: ,
“content”: {
“size”: 0,
“mimeType”: “x-unknown”
},
“redirectURL”: “”,
“headersSize”: -1,
“bodySize”: -1,
“_transferSize”: 0,
“_error”: “net::ERR_ABORTED”,
“_fetchedViaServiceWorker”: false
},
“serverIPAddress”: “”,
“startedDateTime”: “2024-11-05T22:44:41.744Z”,
“time”: 2038.5620000015479,
“timings”: {
“blocked”: 2038.5620000015479,
“dns”: -1,
“ssl”: -1,
“connect”: -1,
“send”: 0,
“wait”: 0,
“receive”: 0,
“_blocked_queueing”: -1
}
},
{
“_initiator”: {
“type”: “other”
},
“_priority”: “VeryHigh”,
“_resourceType”: “document”,
“cache”: {},
“request”: {
“method”: “GET”,
“url”: “https://ipdct.com/”,
“httpVersion”: “”,
“headers”: [
{
“name”: “DNT”,
“value”: “1”
},
{
“name”: “Upgrade-Insecure-Requests”,
“value”: “1”
},
{
“name”: “User-Agent”,
“value”: “Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36”
},
{
“name”: “sec-ch-ua”,
“value”: “"Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"”
},
{
“name”: “sec-ch-ua-mobile”,
“value”: “?1”
},
{
“name”: “sec-ch-ua-platform”,
“value”: “"Android"”
}
],
“queryString”: ,
“cookies”: ,
“headersSize”: -1,
“bodySize”: 0
},
“response”: {
“status”: 0,
“statusText”: “”,
“httpVersion”: “”,
“headers”: ,
“cookies”: ,
“content”: {
“size”: 0,
“mimeType”: “x-unknown”
},
“redirectURL”: “”,
“headersSize”: -1,
“bodySize”: -1,
“_transferSize”: 0,
“_error”: “net::ERR_ABORTED”,
“_fetchedViaServiceWorker”: false
},
“serverIPAddress”: “”,
“startedDateTime”: “2024-11-05T22:45:13.791Z”,
“time”: 2057.0279999956256,
“timings”: {
“blocked”: 2057.0279999956256,
“dns”: -1,
“ssl”: -1,
“connect”: -1,
“send”: 0,
“wait”: 0,
“receive”: 0,
“_blocked_queueing”: -1
}
},
{
“_initiator”: {
“type”: “other”
},
“_priority”: “VeryHigh”,
“_resourceType”: “document”,
“cache”: {},
“request”: {
“method”: “GET”,
“url”: “https://ipdct.com/”,
“httpVersion”: “”,
“headers”: [
{
“name”: “DNT”,
“value”: “1”
},
{
“name”: “Upgrade-Insecure-Requests”,
“value”: “1”
},
{
“name”: “User-Agent”,
“value”: “Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36”
},
{
“name”: “sec-ch-ua”,
“value”: “"Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"”
},
{
“name”: “sec-ch-ua-mobile”,
“value”: “?1”
},
{
“name”: “sec-ch-ua-platform”,
“value”: “"Android"”
}
],
“queryString”: ,
“cookies”: ,
“headersSize”: -1,
“bodySize”: 0
},
“response”: {
“status”: 0,
“statusText”: “”,
“httpVersion”: “”,
“headers”: ,
“cookies”: ,
“content”: {
“size”: 0,
“mimeType”: “x-unknown”
},
“redirectURL”: “”,
“headersSize”: -1,
“bodySize”: -1,
“_transferSize”: 0,
“_error”: “net::ERR_ABORTED”,
“_fetchedViaServiceWorker”: false
},
“serverIPAddress”: “”,
“startedDateTime”: “2024-11-05T22:46:15.859Z”,
“time”: 2088.195000003907,
“timings”: {
“blocked”: 2088.195000003907,
“dns”: -1,
“ssl”: -1,
“connect”: -1,
“send”: 0,
“wait”: 0,
“receive”: 0,
“_blocked_queueing”: -1
}
}
]
}
}

That text has been mangled in some way. It is not a valid HAR file.

My best guess is that ISPs are doing DNS hijacking:

https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs

Another way to test this would be to use curl on the command-line like so:

curl --compressed -svo /dev/null --stderr - -k https://ipdct.com/

This is what I see when I run that:

$ curl --compressed -svo /dev/null --stderr - -k https://ipdct.com/
* Host ipdct.com:443 was resolved.
* IPv6: (none)
* IPv4: 13.52.115.166, 54.215.62.21
*   Trying 13.52.115.166:443...
* Connected to ipdct.com (13.52.115.166) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [314 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2034 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.ipdct.com
*  start date: Oct  2 16:01:46 2024 GMT
*  expire date: Dec 31 16:01:45 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://ipdct.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ipdct.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [accept-encoding: deflate, gzip]
> GET / HTTP/2
> Host: ipdct.com
> User-Agent: curl/8.7.1
> Accept: */*
> Accept-Encoding: deflate, gzip
>
* Request completely sent off
< HTTP/2 200
< accept-ranges: bytes
< age: 2
< cache-control: public,max-age=0,must-revalidate
< cache-status: "Netlify Edge"; fwd=miss
< content-encoding: gzip
< content-type: text/html; charset=UTF-8
< date: Wed, 06 Nov 2024 17:21:33 GMT
< etag: "bd16a69d920805e1fc7c12b3db5d0302-ssl-df"
< server: Netlify
< strict-transport-security: max-age=31536000
< vary: Accept-Encoding
< x-nf-request-id: 01JC17XV8D9Q10HEZGEN6G7EFF
<
{ [1036 bytes data]
* Connection #0 to host ipdct.com left intact

Above, it shows which IP address is responding:

* IPv4: 13.52.115.166, 54.215.62.21
*   Trying 13.52.115.166:443...
* Connected to ipdct.com (13.52.115.166) port 443

That shows 13.52.115.166 is the IP address that responds that that is an IP address that Netlify is currently using.

If you run the test on a system not getting HTTPS responses, my best guess is that you will discover the IP address responding is one assigned to your ISP and not one Netlify is using. If so, that is usually proof of DNS hijacking by the ISP (although, it could be a misconfigured router or private network instead).

Would you run that command when HTTPS is not working and share the output here please?

@luke You are the man…

Here’s the full .har file if you want it: ipdct.com - Google Drive

Here’s what we got running the curl in command line:

curl --compressed -svo /dev/null --stderr - -k https://ipdct.com/
* Host ipdct.com:443 was resolved.
* IPv6: (none)
* IPv4: 50.19.214.227, 100.28.201.155
* Trying 50.19.214.227:443...
* Connected to [ipdct.com](http://ipdct.com/) (50.19.214.227) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [314 bytes data]
* Recv failure: Connection reset by peer
* LibreSSL/3.3.6: error:02FFF036:system library:func(4095):Connection reset by peer
* Closing connection

Hi @tommy1 it looks like our team is working with you in our helpdesk. Our team will follow up with you via email on ticket # 314499