2.4.0-RC (arm) reverting webconfigurator from https to http yields in login loop

oldunixguy

running 2.4.0-RC (arm) on sg-1000.

For a long time I have been running the web configurator on https port 4443. The "normal" port 443 is port forwarded to a host on the LAN. Note that I also have port 80 forwarded to a host on the LAN.

I had a functioning SSH login with key access so I could undo the changes that lock me out of the configurator.

I have tried several methods to change this to something like http on port 88. [Eventually I will reconfigure other settings to prevent reaching this from the WAN and using SSH tunneling to reach the web configurator on http port 88. But not yet.] I want to do this in stages.

Method 1- I used the web configurator itself. On System->Advanced->Admin Access I changed from https to http port 88 ONLY- no other change. This resulted in painting the web configurator login page http://10.0.0.1:88 but after entering the credentials it after a short pause would just repaint the login page.

Method 2- I used was the web configurator System->Advanced->Admin Access I changed from https to http and put the port back to 4443- no other change. This resulted in painting the web configurator login page http://10.0.0.1:4443 but after entering the credentials it after a short pause would just repaint the login page.

Method 3- I used the SSH command line interface and Option 2 because documentation stated it would allow reverting back to http for the configurator. I entered the same IP and netmask for the LAN and did not touch the WAN. I selected http. Yet, this too would not work.

Clearly, there is some other change or changes to make this work. The documentation (and forum posts) are not correct to make this https to http reversion.

What else do I need to do to make this reversion by using the shell interface (since changes lock me out of the configurator)?

thanks
oldunixguy

jimp

When HTTPS is enabled, pfSense sets up HSTS. Most likely your browser is attempting to respect this and has cached that.

Try a different browser or try clearing your cache/history, maybe try a private/incognito browsing mode.

The real question is why anyone would want to use HTTP these days for GUI access…

Gertjan

@jimp:

…
The real question is why anyone would want to use HTTP these days for GUI access...

HTTPS you mean ?
That's your fault. The acme packet works to well.

jimp

@Gertjan:

HTTPS you mean ?
That's your fault. The acme packet works to well.

Indeed it does work very well, but OP is trying to change from HTTPS to HTTP for some unspecified reason I can't fathom.

oldunixguy

Quite simple really. If the only access to the router controls (command line and browser configurator) must go thru an SSH tunnel that itself requires keys with passwords disabled then it is much more secure. Using https over a secure ssh tunnel offers no additional security and consumes more device resources. Here only a single port is open to the outside instead of 2. I support many, many routers with many router OS. Some routers dont have the resources to run https. However, all run SSH with keys which allows a common and secure method to access both command line and browser router controls.
thanks
oldunixguy

jimp

That is dangerously incorrect. There is more to HTTPS than encryption when used properly.