StarScream159
Cadet
- Joined
- Jan 25, 2013
- Messages
- 4
Hello everyone.
Is it possible to edit/remove the NGINX configuration from sending the HSTS/STS headers with page requests:
I connect to my NAS from a generic Dynamic DNS address (like from dynu.com, changeip.com, namecheap, etc.). But I also use the same address to access other services running on my home network on different ports. However, these other services aren't running under HTTPS. So if I browse to my FreeNAS GUI, then I attempt to use a service that isn't HTTPS, the browser is remembering the HSTS/STS setting and forcing a HTTPS redirect on the service/port that isn't HTTPS.
I'll give an example:
PORT 80 - FreeNAS (HTTP)
PORT 443 - FreeNAS (HTTPS)
PORT 4040 - Subsonic (HTTP)
PORT 8000 - pyLoad (HTTPS)
etc.
So first if I browse to Subsonic on port 4040 with plain HTTP, everything works great. Then later in the day/whenever I browse to FreeNAS (on either http or https) it'll then set the HSTS/STS browser setting. Then browsing back to my Subsonic service won't work, as it will now redirect to HTTPS. pyLoad, as an example, on the other hand always works, because it wants HTTPS, so it doesn't matter.
I've tried to change the settings in FreeNAS GUI to no avail. No combination of forcing/not forcing redirect to HTTPS, or enabling both HTTP+HTTPS works. As long as HTTPS is enabled in some fashion, it seems, the HSTS/STS header is sent.
If there is no easy way to remove the headering from NGINX, I can look into whitelisting/disabling HSTS/STS for my domain.
Thanks for reading.
Is it possible to edit/remove the NGINX configuration from sending the HSTS/STS headers with page requests:
Code:
strict-transport-security:max-age=31536000
I connect to my NAS from a generic Dynamic DNS address (like from dynu.com, changeip.com, namecheap, etc.). But I also use the same address to access other services running on my home network on different ports. However, these other services aren't running under HTTPS. So if I browse to my FreeNAS GUI, then I attempt to use a service that isn't HTTPS, the browser is remembering the HSTS/STS setting and forcing a HTTPS redirect on the service/port that isn't HTTPS.
I'll give an example:
PORT 80 - FreeNAS (HTTP)
PORT 443 - FreeNAS (HTTPS)
PORT 4040 - Subsonic (HTTP)
PORT 8000 - pyLoad (HTTPS)
etc.
So first if I browse to Subsonic on port 4040 with plain HTTP, everything works great. Then later in the day/whenever I browse to FreeNAS (on either http or https) it'll then set the HSTS/STS browser setting. Then browsing back to my Subsonic service won't work, as it will now redirect to HTTPS. pyLoad, as an example, on the other hand always works, because it wants HTTPS, so it doesn't matter.
I've tried to change the settings in FreeNAS GUI to no avail. No combination of forcing/not forcing redirect to HTTPS, or enabling both HTTP+HTTPS works. As long as HTTPS is enabled in some fashion, it seems, the HSTS/STS header is sent.
If there is no easy way to remove the headering from NGINX, I can look into whitelisting/disabling HSTS/STS for my domain.
Thanks for reading.
