Issues running KiwiSDR on subdomains where HSTS is enabled on the main site.

I run a KiwiSDR on a subdomain of a site which uses HTTPS (with a cert via lets encrypt). The main site has HSTS (HTTPS Strict Transport Security) enabled.

I have had a few users report issues connecting to the KiwiSDR, as various browsers (Chrome being the prime example) apply that HSTS rule to all subdomains, result in chrome continuously trying to connect to the KiwiSDR using HTTPS. Those users were able to access the KiwiSDR again by deleting the HSTS rules using instructions from this page: https://www.ssl2buy.com/wiki/how-to-clear-hsts-settings-on-chrome-firefox-and-ie-browsers

With more and more browsers enforcing HTTPS, I suspect these kinds of issues are just going to become more common.

Is there any plan to add the ability to enable HTTPS on the KiwiSDR? I understand this will likely require uploading of a suitable SSL cert (valid for the domain the KiwiSDR is running on) by the admin, and probably ongoing maintenance by the admin as the SSL certs expire (for example Lets-Encrypt certs only have a validity of a few months).

Cheers,
Mark VK5QI

Comments

  • You could use a reverse proxy like NGNIX to ssl the info, (using auto-updating LetsEncrypt cert).

    The bigger issue is the laughable nature of Chrome pretending to be looking after your data.
    "Cool story browser bro'"

    I don't think there is much appetite for forcing the Beaglebone to tailor to Google's latest whim.
    Next month it will be "can't browse unless you have NFC tuned on and are holding the phone over your embedded bio chip".

    Just say no.

    73 Stu
  • HTTPS on the Kiwi is not happening. Too many implementation/performance problems. We had the barroom-brawl about this years ago. Nothing has changed. Except that I'm less inclined than ever to work on stuff I don't perceive as important/interesting.

    Maybe someone else will do this and deliver a 100% tested, validated patch. But history says otherwise.
    WA2ZKD
  • Nginx is likely the solution here then. If we get it working then I'll post a configuration here that others can use.
    We'll be experimenting with using a RPi (4) we happen to have at the remote site as the front-end. With only a small number of users at a time hopefully load won't be an issue.

    This also gives me the opportunity to block access to the admin login, which I'm not entirely comfortable having exposed to the net (though having the console only available locally is a good risk-reduction step).

    Thanks for the support.

    Stu: HSTS isn't just a Chrome thing - it's an IETF standard. It's going to affect all browsers equally, unless you are living in the dark ages. Your browser-bashing is not helpful.

    73
    Mark VK5QI
This discussion has been closed.