Forum Discussion
NimbostratusSkip HSTS/HPKP header error
Hi Guys!
I have the next scenario:
User - ONT - Router - F5 - Firewall - Servers (Captive portal)
I need implement a captive portal for Internet access, I have a LTM module activated and:
3 VS created: VS for port 80, VS for **port 443 and VS for any port.
1 Pool for my gateway.
1 iRule for redirect http and https querys to my captive portal.
A wildcard certificate issue for Public CA for my VS SSL
All Domains (included facebook, twitter, google, youtube) point to the IP of the Virtual Server through the DNS. The HTTP queries doesn't have problem with redirection to my captive portal, the problem is with HTTPS VS, when a user is looking for google.com, facebook.com or twitter.com they have a certificate missmatch due to HSTS and HPKP headers and they can't skip this error, with others SSL sites doesn't have this problems (ibm, cnn, any banks) because this websites are no as part of a HSTS/HPKP header list.
This HSTS and HPKP headers are listed in most browsers (firefox, chrome, opera, etc.) by default, what makes the request change from HTTP to HTTPS automatically.
Does anyone know if its possible to skip this HSTS/HPKP header error?
Simon_BlakelyEmployee
HSTS HTTP Strict Transport Security tells the browser that the site must be only accessed via HTTPS (for the lifetime of the policy).
HPKP HTTP Public Key Pinning is an HTTP header that provides the public keys to the browser, so that the browser can independently verify the public key certificate provided from an HTTPS server. This mechanism prevents MITM and server spoofing.
Does anyone know if its possible to skip this HSTS/HPKP header error?
Not really - they are security mechanisms intended to warn users that they are being directed to a site that is not their intended destination.
You need to rely on the Browser/OS Captive Portal Detection mechanisms to prevent the HTTPS request blocking that you are seeing.