HSTS config on nginx

empbilly

Hello guys,

I would like to disable nginx HSTS and the only ones files with add_header that I found in server are:

/var/etc/nginx-cpzone-CaptivePortal-SSL.conf
/var/etc/nginx-cpzone-CaptivePortal.conf

When modifying the files and restart the webconfigurator or restart the server, return the original settings.

Which file should I change to the settings modified do not change again?

cmb

It's in /etc/inc/system.inc. Why do you want to disable it?

empbilly

@cmb:

It's in /etc/inc/system.inc. Why do you want to disable it?

Hello cmb, thanks for the answer!

Some users who have smartphones receive the message about the HSTS and aren't redirected to our login page. In some tests, we solved by cleaning all history navigation/cache of smartphones.

As this page is shown before the user has access to the network, I believe that wouldn't have problems in disable HSTS. Or would have problems?

cmb

It wouldn't be a problem to disable it, just wondering if there was a use case where it's necessary to disable. You're using HTTPS on captive portal I take it? Do you have an example of the exact, specific message the clients were displaying?

empbilly

HTTPS is enable.

Message like a image of this link:
http://news.netcraft.com/wp-content/uploads/2016/03/facebook-mitm.png

cmb

Ah OK, that makes sense now. That's not because HSTS is enabled on your captive portal, it's because facebook.com has HSTS enabled and the person's device has that cached from previously accessing it. You can't do anything to influence or prevent that.

empbilly

@cmb:

Ah OK, that makes sense now. That's not because HSTS is enabled on your captive portal, it's because facebook.com has HSTS enabled and the person's device has that cached from previously accessing it. You can't do anything to influence or prevent that.

Yeah, but instead of facebook.com would be our portal, e.g: captiveportal.shiryu.com O.o

I made some changes in own authentication portal.html file. Perhaps it was these changes that caused users receive this error. The cache of them had an old version of our portal.html and I believe so received the message about the HSTS.

cmb

Oh OK, thought that meant you were getting it specifically for facebook.com. In that case, you can remove that HSTS line in /etc/inc/system.inc to keep it from reappearing for now. Upgrades will set it back so you'll have to re-apply post-upgrade. I'll take a look at that for captive portal in the future when time permits. Might be a good idea to have an option in CP to disable that, or maybe disable it by default in that case.

empbilly

@cmb:

Oh OK, thought that meant you were getting it specifically for facebook.com. In that case, you can remove that HSTS line in /etc/inc/system.inc to keep it from reappearing for now. Upgrades will set it back so you'll have to re-apply post-upgrade. I'll take a look at that for captive portal in the future when time permits. Might be a good idea to have an option in CP to disable that, or maybe disable it by default in that case.

It would be a great idea, as in most cases the login page has no connection to the outside, it is only for authentication.

doktornotor

https://redmine.pfsense.org/issues/6650
https://github.com/pfsense/pfsense/pull/3856