Rails 3.1 introduced
force_ssl. You can add
config.force_ssl = true in
force_ssl, Rails send a HSTS (HTTP Strict Transport Security) header which will expired in a year.
So if you enabled
force_ssl once, even you change the config value to
false later, the browser you used to open you app before will still remember this website (using domain to identify) require to use HTTPS, and redirect you to HTTPS connection automatically. You may use
chrome://net-internals/#hsts to check the domain list in Google Chrome.
If you really need to fall back to HTTP connection, you may need to apply the following code. The setup is to force Rails send a new HSTS header which will be expired immediately. When a browser open your Rails application, the browser will expire the HSTS record.