Bug #6650
closed
Option needed to disable HSTS
100%
Description
HSTS is based solely on hosts, and not port numbers. As a result, any HTTPS devices behind the pfSense are unreachable via NAT, because the browser refuses to connect. Trying to connect to https://pfsense:2345/ gives an error that can't be bypassed because I previously visited https://pfsense/.
There needs to be an option to disable HSTS on the system.
Updated by Kill Bill over 7 years ago
Hint: Use haproxy with SNI and forget the ports. See https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki (and yes, you can use it for pfSense webGUI as well, as long as you move the webGUI to a custom port instead of 443.)
Updated by NOYB NOYB over 7 years ago
A potential workaround may be to use a different host name for other NAT'ed ports.
Updated by Adam Piasecki over 7 years ago
Having same issue, all HTTP sites are also broken like the original example. Need option in pfsense to disable HSTS.
Updated by Kill Bill about 7 years ago
Bump here. This breaks even things running on pfSense itself, such as the darkstat package (HTTP only). It will break other packages as well when you need to switch the GUI protocol (e.g. Lightsquid), because, well: "max-age=31536000".
Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)
Really no good to have it hardcoded. The haproxy hint above is of course still valid but lots of work for home setups.
Updated by NOYB NOYB about 7 years ago
Kill Bill wrote:
Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)
What is so difficult about clearing browser cookies?
Updated by Kill Bill about 7 years ago
NOYB NOYB wrote:
What is so difficult about clearing browser cookies?
Nothing except that it's completely useless. E.g. in Chrome, you go fiddle with chrome://net-internals/#hsts to fix this.
Updated by Brett Montgomery about 7 years ago
Another thing, if the pfSense GUI is behind a reverse proxy (in my case Nginx) you can't enable HSTS on Nginx as it would result in twice HSTS headers..
So you can't make HSTS global on your reverse proxy, you have to customize the config file only for pfSense.
An option to disable HSTS would be really great.
Updated by Kill Bill over 6 years ago
Got fed up with this... People who are interested in having HSTS optional kindly test this: https://github.com/pfsense/pfsense/pull/3856
Updated by Jim Pingle over 6 years ago
- Priority changed from High to Normal
- Target version set to 2.4.2
Updated by Renato Botelho over 6 years ago
- Status changed from New to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged
Updated by Anonymous over 6 years ago
Tested on pfSense-netgate-memstick-ADI-2.4.2-DEVELOPMENT-amd64-20171103-1355.img, works as expected.
HSTS box unchecked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
HSTS box checked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
user@work-laptop ~ $
Updated by Renato Botelho over 6 years ago
- Status changed from Feedback to Resolved