Project

General

Profile

Actions

Bug #6650

closed

Option needed to disable HSTS

Added by Michael Newton about 8 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
07/27/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:
All

Description

HSTS is based solely on hosts, and not port numbers. As a result, any HTTPS devices behind the pfSense are unreachable via NAT, because the browser refuses to connect. Trying to connect to https://pfsense:2345/ gives an error that can't be bypassed because I previously visited https://pfsense/.

There needs to be an option to disable HSTS on the system.

Actions #1

Updated by Kill Bill about 8 years ago

Hint: Use haproxy with SNI and forget the ports. See https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki (and yes, you can use it for pfSense webGUI as well, as long as you move the webGUI to a custom port instead of 443.)

Actions #2

Updated by NOYB NOYB about 8 years ago

A potential workaround may be to use a different host name for other NAT'ed ports.

Actions #3

Updated by Adam Piasecki almost 8 years ago

Having same issue, all HTTP sites are also broken like the original example. Need option in pfsense to disable HSTS.

Actions #4

Updated by Kill Bill over 7 years ago

Bump here. This breaks even things running on pfSense itself, such as the darkstat package (HTTP only). It will break other packages as well when you need to switch the GUI protocol (e.g. Lightsquid), because, well: "max-age=31536000".

Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)

Really no good to have it hardcoded. The haproxy hint above is of course still valid but lots of work for home setups.

Actions #5

Updated by NOYB NOYB over 7 years ago

Kill Bill wrote:

Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)

What is so difficult about clearing browser cookies?

Actions #6

Updated by Kill Bill over 7 years ago

NOYB NOYB wrote:

What is so difficult about clearing browser cookies?

Nothing except that it's completely useless. E.g. in Chrome, you go fiddle with chrome://net-internals/#hsts to fix this.

Actions #7

Updated by Brett Montgomery over 7 years ago

Another thing, if the pfSense GUI is behind a reverse proxy (in my case Nginx) you can't enable HSTS on Nginx as it would result in twice HSTS headers..
So you can't make HSTS global on your reverse proxy, you have to customize the config file only for pfSense.

An option to disable HSTS would be really great.

Actions #8

Updated by Kill Bill almost 7 years ago

Got fed up with this... People who are interested in having HSTS optional kindly test this: https://github.com/pfsense/pfsense/pull/3856

Actions #9

Updated by Jim Pingle almost 7 years ago

  • Priority changed from High to Normal
  • Target version set to 2.4.2
Actions #10

Updated by Renato Botelho almost 7 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged

Actions #11

Updated by Anonymous almost 7 years ago

Tested on pfSense-netgate-memstick-ADI-2.4.2-DEVELOPMENT-amd64-20171103-1355.img, works as expected.

HSTS box unchecked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000

HSTS box checked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
user@work-laptop ~ $ 
Actions #12

Updated by Renato Botelho almost 7 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF