I have set hsts for my domain on the site http://server.mydom.tld:80, so the brower goes to port https://server.mydom.tld on port 443
However, I also have other webservers, running on other ports. So when I go to http://server.mydom.tld:8888 it gets forwarded to https://server.mydom.tld:8888, but that server does not run https, so the request fails.
Is that according to spec?
I noticed I don't run hsts on http://mydom.tld or http://www.mydom.tld, which is probably a mistake.
What to do?
Yes, this is intentional. RFC 6797 states:
The UA MUST replace the URI scheme with "https" [RFC2818], andif the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or>> if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise, if the URI does not contain an explicit port component, the UA MUST NOT add one. NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host.
You should run plain HTTP services on a different domain, or even better, use a HTTP+TLS server as a reverse proxy to the internal plain HTTP service.
The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.
If one really doesn't want to run https on another service, one could add an alias in the DNS, so https://server.domain.tld and http://service.domain.tld:8888 are on the same IP/server
Then it is possible to add a redirect from http://service.domain.tld and https://service.domain.tld to http://service.domain.tld:8888
