webConfigurator forces connections to http
-
In System > Advanced > Admin Access, I have HTTPS selected. TCP port is set to 443 and SSL/TLS Cert is set to webConfigurator Default. When I made those changes and clicked Save, it said it was redirecting me to https://10.1.1.1 - but it didn't. I tried it in a new private window and it forced me to http there, as well, so not a cache issue. What am I missing?
-
pfSense uses https for the webgui by default. Did you ever set it to http?
Can you make other changes to the firewall config?
Steve
-
@stephenw10 I don't recall ever setting it to http but that doesn't mean it didn't happen! ;D
Yes, I can make any/all other changes, no problem. -
Check in the config file dircetly. Export it from Diag > Backup then look in the webgui section:
<webgui> <protocol>https</protocol> <loginautocomplete></loginautocomplete> <ssl-certref>6035410d95ec4</ssl-certref> <dashboardcolumns>3</dashboardcolumns> <port></port> <max_procs>2</max_procs> <nodnsrebindcheck></nodnsrebindcheck> <webguicss>pfSense-dark-BETA.css</webguicss> <logincss>633215</logincss> <loginshowhost></loginshowhost> <nohttpreferercheck></nohttpreferercheck> </webgui>You should see the protocol set to https as shown above.
-
@stephenw10 I tried to post my webgui section but Akismet flagged it as spam. Anyway, it looks identical to yours except for the ssl-certref is different. (Maybe that's the problem?)
-
No that should be unique to your install.
Can you visit the page using https directly?
How are you connected to the firewall? Via the LAN directly?
-
@stephenw10 said in webConfigurator forces connections to http:
Can you visit the page using https directly?
No. When I specifically type https://10.1.1.1, it thinks for a few seconds then gives me
How are you connected to the firewall? Via the LAN directly?
Yes. Ethernet -
That is connected via https it's just using a self signed certificate. Click on 'not secure' and then on the cert info. You will see it's the pfSense self signed certificate.
-
@stephenw10 said in webConfigurator forces connections to http:
That is connected via https it's just using a self signed certificate. Click on 'not secure' and then on the cert info. You will see it's the pfSense self signed certificate.
OK, did that and you're right about the cert but again, in the address bar, there's a red line through "https"...
-
@ErniePantuso said in webConfigurator forces connections to http:
there's a red line through "https"...
Well you should prob ask on your browsers forums why they present it like that.. Pfsense has little control over how a browser presents if the connection security.. And saying its not secure just because it using a self signed cert is just wrong..
If you don't want it showing that - then user a cert that your browser trusts. Be it one you created with your own CA that your browser trusts, or use a acme cert on it.
-
Yeah firefox does a better job IMO. But on a Chrome (based) browser if it really is http it appears as:
-
@ErniePantuso said in webConfigurator forces connections to http:
again, in the address bar, there's a red line through "https"...
You have to tell your OS that you trust the self signed cert so your browser complies...
-
It will still show as
httpsthough. -
The way to get rid of the browser complaints is to create a cert from a CA that the browser trusts.. This is simple enough to do with pfsense.. Or use something like acme to get a trusted cert.
I use a combo of both, for stuff that browsers outside of my control will access I use acme (lets encrypt) for stuff that I just manage where to be honest https not even really needed. I mean its all local and on my "management/trusted" vlan anyway.. But I hate the browser balking at stuff.. My pfsense gui, my unifi controller gui, my switches, my printer gui, stuff like that I just sign my own certs with my CA that browser trusts. No more complaints from any browser I use.. FF, Edge, Chrome, etc..
-
@johnpoz That makes sense. I've used LetsEncrypt before with my own websites/servers but it's unclear to me how to do it with something that's local/internal. If you know of a good guide/tutorial, I'd really appreciate a link.
It's also unclear to me how to setup local DNS. (In fact, I have a hard time just understanding local DNS in general.) I think I know that it gets setup/handled by DNS Resolver in pfSense - and I think it works (or can work) more or less like regular DNS to allow me to type "pfsense.lan" rather than "10.1.1.1" (etc. for other local destinations - which would be great) but no one has ever been explain to me (in sufficient detail) how to get that working.
Then there's the issue of VLANs and firewall rules (and I'm still a novice when it comes to those.) Currently, I've just setup each VLAN to use Cloudflare and Quad 9 DNS - and internally we just have to use IP addresses.
-
@ErniePantuso well I have walked through creating your own CA and having your browser trust it quite a few times here over the years.. Let me find one of my old posts.. BRB
edit: here is one https://forum.netgate.com/post/831783
Well for dns out of the box pfsense resolves and should be listening on any of its IPs for queries.. If you want it to resolve local resources, then you can either have it register dhcp clients, this can be problematic since it restarts on dhcp events. Or you could create a static/reservation for devices so they always get the same IP and register those.. That works great, or if your setting the devices IP locally or whatever and you want to make sure pfsense resolves that name for you just create a host overrride under the resolver.. For example my nas has a host override.
$ nslookup Default Server: sg4860.home.arpa Address: 192.168.9.253 > nas.home.arpa Server: sg4860.home.arpa Address: 192.168.9.253 Name: nas.home.arpa Address: 192.168.9.10192.168.9.253 is my pfsense IP on my lan, see how it resolves its own name sg4860.home.arpa, and see how my nas.home.arpa resolves to 192.168.9.10
-
@johnpoz Thank you!!
