2.3 Web UI lockout changing protocol to HTTPS



  • I upgraded to 2.3-RELEASE (i386) from a fresh install of 2.2.2-RELEASE (i386). After changing Web UI protocol from HTTP (using a non-standard port xx080 TCP) to HTTPS (using a non-standard port xx443 TCP), remote control via the Web UI is lost.

    Further investigation shows that Web UI protocol has been accidentally reverted to default (HTTP/80 TCP). On the relevant interface, by Firewall/Rules, ports xx080 and xx443 TCP are open, but port 80 TCP is not.

    This used to be a known bug in some past versions of pfSense. I don't know if it is a known bug in 2.3.



  • Are you perhaps experiencing an HSTS enforcement?

    pfSense WebGUI issues a one year Strict-Transport-Security header.

    Strict Transport Security (HSTS)
    https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security



  • Sorry for late reply. I'm not familiar with HSTS so it took me a time to learn the concept. It's not clear to me how and why HSTS, which enforces HTTPS, could force pfSense to accidentally change the WebUI from HTTP/xx080 or HTTPS/xx443 TCP to HTTP/80 TCP.

    Note: that was the first time I ever change Web UI protocol and port from the WAN interface. When I change them from the LAN interface, nothing strange happens.



  • @dusan:

    Sorry for late reply. I'm not familiar with HSTS so it took me a time to learn the concept. It's not clear to me how and why HSTS, which enforces HTTPS, could force pfSense to accidentally change the WebUI from HTTP/xx080 or HTTPS/xx443 TCP to HTTP/80 TCP.

    Note: that was the first time I ever change Web UI protocol and port from the WAN interface. When I change them from the LAN interface, nothing strange happens.

    You're accessing the WebUI from WAN, HTTP, change it to HTTPS and get locked out, is that correct?  But if you do the same operation from LAN, it works as you expect?



  • @mer:

    You're accessing the WebUI from WAN, HTTP, change it to HTTPS and get locked out, is that correct?

    Yes. That's correct.

    @mer:

    But if you do the same operation from LAN, it works as you expect?

    Yes.


Log in to reply