Project

General

Profile

Bug #6650

Option needed to disable HSTS

Added by Michael Newton over 3 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
07/27/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3.2
Affected Architecture:
All

Description

HSTS is based solely on hosts, and not port numbers. As a result, any HTTPS devices behind the pfSense are unreachable via NAT, because the browser refuses to connect. Trying to connect to https://pfsense:2345/ gives an error that can't be bypassed because I previously visited https://pfsense/.

There needs to be an option to disable HSTS on the system.

Associated revisions

Revision 3684280d (diff)
Added by Doktor Notor about 2 years ago

Add option to disable HSTS for nginx (Bug #6650)

Revision b42a43f7 (diff)
Added by Doktor Notor about 2 years ago

Add option to disable HSTS for nginx (Bug #6650)

Revision a257c4c9 (diff)
Added by Doktor Notor about 2 years ago

Add option to disable HSTS for nginx (Bug #6650)

Revision 193f628d (diff)
Added by Doktor Notor about 2 years ago

Add option to disable HSTS for nginx (Bug #6650)

Revision 42833525 (diff)
Added by Doktor Notor about 2 years ago

Add option to disable HSTS for nginx (Bug #6650)

Revision 7f797833 (diff)
Added by Doktor Notor about 2 years ago

Add option to disable HSTS for nginx (Bug #6650)

History

#1 Updated by Kill Bill over 3 years ago

Hint: Use haproxy with SNI and forget the ports. See https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki (and yes, you can use it for pfSense webGUI as well, as long as you move the webGUI to a custom port instead of 443.)

#2 Updated by NOYB NOYB over 3 years ago

A potential workaround may be to use a different host name for other NAT'ed ports.

#3 Updated by Adam Piasecki about 3 years ago

Having same issue, all HTTP sites are also broken like the original example. Need option in pfsense to disable HSTS.

#4 Updated by Kill Bill almost 3 years ago

Bump here. This breaks even things running on pfSense itself, such as the darkstat package (HTTP only). It will break other packages as well when you need to switch the GUI protocol (e.g. Lightsquid), because, well: "max-age=31536000".

Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)

Really no good to have it hardcoded. The haproxy hint above is of course still valid but lots of work for home setups.

#5 Updated by NOYB NOYB almost 3 years ago

Kill Bill wrote:

Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)

What is so difficult about clearing browser cookies?

#6 Updated by Kill Bill almost 3 years ago

NOYB NOYB wrote:

What is so difficult about clearing browser cookies?

Nothing except that it's completely useless. E.g. in Chrome, you go fiddle with chrome://net-internals/#hsts to fix this.

#7 Updated by Brett Montgomery almost 3 years ago

Another thing, if the pfSense GUI is behind a reverse proxy (in my case Nginx) you can't enable HSTS on Nginx as it would result in twice HSTS headers..
So you can't make HSTS global on your reverse proxy, you have to customize the config file only for pfSense.

An option to disable HSTS would be really great.

#8 Updated by Kill Bill about 2 years ago

Got fed up with this... People who are interested in having HSTS optional kindly test this: https://github.com/pfsense/pfsense/pull/3856

#9 Updated by Jim Pingle about 2 years ago

  • Priority changed from High to Normal
  • Target version set to 2.4.2

#10 Updated by Renato Botelho about 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged

#11 Updated by James Dekker about 2 years ago

Tested on pfSense-netgate-memstick-ADI-2.4.2-DEVELOPMENT-amd64-20171103-1355.img, works as expected.

HSTS box unchecked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000

HSTS box checked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
user@work-laptop ~ $ 

#12 Updated by Renato Botelho about 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF