Bug #6650
closed
Option needed to disable HSTS
Added by Michael Newton over 8 years ago.
Updated about 7 years ago.
Affected Architecture:
All
Description
HSTS is based solely on hosts, and not port numbers. As a result, any HTTPS devices behind the pfSense are unreachable via NAT, because the browser refuses to connect. Trying to connect to https://pfsense:2345/ gives an error that can't be bypassed because I previously visited https://pfsense/.
There needs to be an option to disable HSTS on the system.
A potential workaround may be to use a different host name for other NAT'ed ports.
Having same issue, all HTTP sites are also broken like the original example. Need option in pfsense to disable HSTS.
Bump here. This breaks even things running on pfSense itself, such as the darkstat package (HTTP only). It will break other packages as well when you need to switch the GUI protocol (e.g. Lightsquid), because, well: "max-age=31536000".
Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)
Really no good to have it hardcoded. The haproxy hint above is of course still valid but lots of work for home setups.
Kill Bill wrote:
Most importantly, it makes switching back to HTTP pretty much impossible without stupid browser-specific hacking, at least if you want to still use the same FQDN. And trying by IP will often trigger the DNS rebinding error, and at that point, you are just very much screwed.)
What is so difficult about clearing browser cookies?
NOYB NOYB wrote:
What is so difficult about clearing browser cookies?
Nothing except that it's completely useless. E.g. in Chrome, you go fiddle with chrome://net-internals/#hsts to fix this.
Another thing, if the pfSense GUI is behind a reverse proxy (in my case Nginx) you can't enable HSTS on Nginx as it would result in twice HSTS headers..
So you can't make HSTS global on your reverse proxy, you have to customize the config file only for pfSense.
An option to disable HSTS would be really great.
- Priority changed from High to Normal
- Target version set to 2.4.2
- Status changed from New to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
Tested on pfSense-netgate-memstick-ADI-2.4.2-DEVELOPMENT-amd64-20171103-1355.img, works as expected.
HSTS box unchecked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
HSTS box checked
user@work-laptop ~ $ curl -I -k -D- https://pfsense.localdomain | grep -i Strict % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
user@work-laptop ~ $
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by Kill Bill 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Anonymous