Forum Discussion
How to disable HSTS on the management interface ?
Hi,
I regularly have to clean my browser cache to be able to connect to the BIG-IP management webui due to the HSTS feature.
I saw that this header is served in response from BIG-IP mgmt webui, but as I regularly use BIG-IPs in labs, at the end the browser reject my connection because several SSL security requirements are not followed.
Is your management interface internet facing? (I ask this as you mentioned the wifi-hotspot intercept. We jumpbox ours so the management interface is never hit first, prior to logon, even through a hotspot.) I would not recommend disabling the feature.
Perhaps as an alternative if you do lots of work with Fiddler, is to not use Fiddler with the same browser as you use for managing your BIG-IP. Personally I've not seen this particular problem in action.
Hi, Of course the server certificate is invalid.
You can find the same issue in english, if you have a look at the last sentence, chrome clearly block the connection due to hsts use. :)
Clearly, I'm just refused connection to ssl servers that use hsts when using fiddler for example. I think that I visited the first time my website, I got a response with an hsts header included. When I try again through a proxy or wifi captive portal, the response doesn't contain the hsts header. In this case, chrome block access to the website.
I got the same when browsing with my Android smartphone.
- Hi, I have the same issue when renewing a device certificate for example. But that's ok, I clear the HSTS cache and everything goes fine
- IanBEmployeeActually the error you've posted is ERR_CERT_DATE_INVALID - it's saying the cert start date isn't valid. This can be caused by the clock on your device wrong, but it's often also the result of anti virus programs using this to deny access to the website. Although it says you can't access the site because it uses HSTS, it's just a badly worded way of saying that it requires SSL access, and SSL access is not available due to the SSL certiticate error. This is not saying that HSTS is causing the problem. It's saying that HSTS requires it to use SSL, and SSL is unavailable.
- JGCumulonimbus
It does not sound like an HSTS issue to me. The only English word in that error message is telling: "NET::ERR_CERT_AUTHORITY_INVALID".
Hi,
Please find below the typical error message I receive (sorry it's in french) :
I receive this message after using fiddler with SSL inspection activated or when I'm redirected to a captive portal when trying to connect to the webui through an hotstop wifi.
After having one of those two events, I can't connect anymore to the mgmt webui on chrome. I have to clear my hsts cache to be able to reconnect.
I can handle it, but after so many time, I would like to find a solution that prevent me to clear caches.
- IanBEmployee
HSTS is enabled on the management interface via apache's configuration file (which is not intended to be user-modifiable)
/config/httpd/conf/httpd.conf Restrict to https, with HSTS policy lasting for 6 months, allowing subdomains Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
I'm curious as to exactly what problem this is causing for you - all it should be doing is ensuring that you access the GUI via https, rather than http. Can you advise the specifics on how it affects you ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com