It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

这不是 Apache 的问题，而是 Rails 发送 HSTS 标头的事实。

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = truealso uses a 301 (permanent) redirection.

在 Chrome 中，您可以通过进入 来清除 HSTS 状态about:net-internals，如ImperialViolet: HSTS UI in Chrome 中所述。您可能还需要清除缓存，因为config.force_ssl = true还使用了 301（永久）重定向。

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

此外，根据这个答案，您还可以让您的应用程序发送一个 max-age=0 的 STS 标头。在您的控制器中：

response.headers["Strict-Transport-Security"] = 'max-age=0'

Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache. I'm using PHP and Nginx. PHP has nothing to do with it in my case, but here's the steps with Nginx:

只是想指出@Bruno 的回答和@JoeVanDyk 的建议是正确的，并且可以应用于 Rails/Apache 的上下文之外。我正在使用 PHP 和 Nginx。在我的情况下，PHP 与它无关，但这是 Nginx 的步骤：

//sorry here's the nginx.conf part first, can't figure out how to mix multi-line 
//code with an ordered list

server {
   #...
   #change:
   # add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains";     
   #to:
   add_header  Strict-Transport-Security "max-age=0;";
   #...
}

1. clear your "browser history". To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).

2. nginx.conf file (see code above)

3. restart server

   root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.

1. 清除您的“浏览器历史记录”。为了澄清@JoeVanDyk 的建议，我认为您需要清除“浏览历史记录”，因为清除缓存对我不起作用（在 Chrome/Firefox 上测试，如果您了解更多，请添加评论）。

2. nginx.conf 文件（见上面的代码）

3. 重启服务器

   root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.

After this, you can revert the nginx add_header Strict..command to what you previously had. Just make sure you repeat steps 1-3 again.

在此之后，您可以将 nginxadd_header Strict..命令恢复为您之前拥有的命令。只需确保再次重复步骤 1-3。

I found I couldn't delete an HSTS entry in Chrome as I was using an IP address for development. I couldn't seem to get chrome://net-internals/#hststo delete the entry. I found that Chrome stores the entries in ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity so I just deleted the file. It of course removes all HSTS requests, but I suspect they will be rebuilt over time.

我发现我无法在 Chrome 中删除 HSTS 条目，因为我使用 IP 地址进行开发。我似乎chrome://net-internals/#hsts无法删除该条目。我发现 Chrome 将条目存储在 ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity 中，所以我刚刚删除了该文件。它当然会删除所有 HSTS 请求，但我怀疑它们会随着时间的推移而重建。

Figured id offer a bit of thought on this. Setting cache time to 0 is a best bet and if you turn it off you need to leave it at 0 for weeks to clear out clients browsers. If you just need to clear HSTS in chrome (for your own browser) you can use chrome://net-internals/#hstsin the address bar to clear the cache for your site at your specific browser. Combined with the below "doorway" it becomes useful.

想像的 id 对此提供了一些想法。将缓存时间设置为 0 是最好的选择，如果您将其关闭，则需要将其保留为 0 数周以清除客户端浏览器。如果您只需要清除 chrome 中的 HSTS（对于您自己的浏览器），您可以chrome://net-internals/#hsts在地址栏中使用在您的特定浏览器中清除您网站的缓存。结合下面的“门口”，它变得有用。

You can set temporary HSTS modes by setting/spoofing a custom header => key. Basically if a special request header exists, and it matches a key, set HSTS with a cache time of whatever you need. This would allow you to turn on or shut off HSTS for all traffic but you. Useful for trying HSTS out before you globally enable (to make sure all assets are loading). Also useful if you wanna temporarily clear out client cache while something is repaired (leaving you room for test).

您可以通过设置/欺骗自定义标头 => 键来设置临时 HSTS 模式。基本上，如果存在一个特殊的请求标头，并且它与一个键匹配，则将 HSTS 设置为您需要的任何缓存时间。这将允许您为除您之外的所有流量打开或关闭 HSTS。用于在全局启用之前尝试 HSTS（以确保所有资产都在加载）。如果您想在修复某些内容时暂时清除客户端缓存（留出测试空间），这也很有用。

If you are developing an application/site and for any reason you choose to use the domain .dev or .app for it and if you are using Chrome, Edge (Chromium based) as your browser you won't be able to get rid of this error because Google bought TLD .dev and .app and force the use of HTTPS for those domain.

如果您正在开发应用程序/站点，并且出于任何原因选择使用域 .dev 或 .app 作为它，并且如果您使用 Chrome、Edge（基于 Chromium）作为浏览器，您将无法摆脱这个错误是因为谷歌购买了 TLD .dev 和 .app 并强制对这些域使用 HTTPS。

The "so called" workaround here is that you should change .dev or .app for something else, let say .local.

这里的“所谓”解决方法是您应该将 .dev 或 .app 更改为其他内容，例如 .local。

Hope this helps, somehow.

希望这有帮助，不知何故。