Webconfigurator - Access restrictions apply?



  • I'm kind of stunned, since I enable https in the Webconfigurator, under advanced. PLUS, disable http at that same location.
    However, the system constantly offers me both, and I can administrate our pfsense easily through an hhtp-connection, and nmap offers an open http-port just as well.
    2.4.3_1, by the way.



  • Metoo !

    But the other way around.
    I can't enter the GUI using http://pfsense.my-local.net:80 (that is, I'm redirected to https:// and all is well) - entering the GUI using http://192.168.1.1:80 and my browser yells about Certificate not ok etc etc - which is perfectly normal.

    These are your settings :
    0_1536064624406_3666f621-5eee-40cb-8dd4-d1c7825b0df1-image.png
    ?
    (except for the certicate - an V2 from Letsencrypt/acme)



  • If you enable SSL, port 80 remains open to redirect to 443. There’s an option to disable the redirect if you prefer, also on the Advanced settings page.

    As far as using IP address vs host name and getting a security error, this happens when the certificate doesn’t have the LAN IP address(es) as part of the SAN (server alternate name) field when the certificate is generated. However, I don’t think it’s possible to use an RFC 1918 address as a SAN with ACME because there’s no way for the system to verify a private network host from the internet.



  • @virgiliomi : exact - thanks for detailing that one.

    @udippel : You could consider the "who cares setup" : Leave the LAN interface only for for administration devices, like your PC - and you.
    All other people, guest, pests, etc : on OPtx.
    Or/and : re-enforce with your interfaces with firewall rules.

    Also : goto console access and hit option 11. Does that settle things out ? Because me, whatever I try on port "80" on pfSense, I'm thrown to https:// right away - and I'm not running other web services on pfSense anyway.



  • Okey-dokey.

    Though here it reads:
    "Wenn nicht aktiviert, wird Port 80 automatisch auf den HTTPS Port weitergeleitet. Aktivieren, um die automatische Weiterleitung zu deaktivieren." which sounds to me, the native German speaker, the other way round.

    Thanks to all who answered, I think I understand the behaviour.
    And yet, I can't really see the point of this behaviour, to me at least it is unexpected. Not?

    Thanks again,

    Uwe