Bug #16000
closed
400 Bad Request - The plain HTTP request was sent to HTTPS port - nginx
0%
Description
Dear pfSense team,
Default local machine:
- http://pfsense/
- https://pfsense/
- https://pfsense/system_advanced_admin.php
I have discovered a bug, when we try connect with 443 port in HTTP, http://pfsense:443/ we obtain:
400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx
In more, I have discovered a bug, when we change the HTTPS port of the WebAdmin (default 443 to another port, example 444), to have:
https://pfsense:444/ we obtain at the same time http://pfsense:444/ with:
400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx
FROM EXTERNAL
If the pfSense has a new WAN rules, for example for 444 port:
- https://externalpfsense:444/
- https://externalpfsense:444/firewall_rules.php?if=wan
The same problem exists if WAN have rules to:
- http://externalpfsense:444/
In more if we enable this option, the problem is always here: "WebGUI redirect":
Disable webConfigurator redirect rule
When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.
Can you solve it?
Thanks in advance.
Updated by Jim Pingle 4 months ago
- Category changed from Administrivia to Web Interface
- Status changed from New to Rejected
- Priority changed from Urgent to Very Low
What you are seeing is expected. You cannot send an HTTP request to an HTTPS port. That cannot be redirected, it's an improper request. You can only connect to the HTTPS port using HTTPS.
The redirect is from port 80 to the GUI HTTPS port, so if you do http://x.x.x.x/ it will redirect to https://x.x.x.x/
Updated by Neustradamus - 4 months ago
Thanks for your quick answer!
You can check ALL your devices :)
If you have a WebAdmin in HTTPS, you have automatically, the same in HTTP.
You can try all possibilities in local and in external.
There is nginx bad configuration.
It is important to fix it!
Please change the priority, it is important problem.
Thanks in advance.
Updated by Neustradamus - 4 months ago
You have closed my ticket, please reopen, it has not been solved!
Linked to:
- https://www.google.com/search?q=400+Bad+Request+The+plain+HTTP+request+was+sent+to+HTTPS+port+nginx
- https://stackoverflow.com/questions/8768946/dealing-with-nginx-400-the-plain-http-request-was-sent-to-https-port-error
Thanks in advance.
Updated by Jim Pingle 4 months ago
It's not a bad or improper configuration, it's working as expected. It should not answer HTTP requests on the HTTPS port. Not even for a redirect. All communication should be encrypted and never exposed to an untrusted network.
We will not encourage/allow the use of HTTP any more than is necessary in a security product.
Updated by Neustradamus - 4 months ago
I will create a PR to fix this problem! :)