CirrusHi,
I regularly have to clean my browser cache to be able to connect to the BIG-IP management webui due to the HSTS feature.
I saw that this header is served in response from BIG-IP mgmt webui, but as I regularly use BIG-IPs in labs, at the end the browser reject my connection because several SSL security requirements are not followed.
EmployeeHSTS is enabled on the management interface via apache's configuration file (which is not intended to be user-modifiable)
/config/httpd/conf/httpd.conf
Restrict to https, with HSTS policy lasting for 6 months, allowing subdomains
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
I'm curious as to exactly what problem this is causing for you - all it should be doing is ensuring that you access the GUI via https, rather than http. Can you advise the specifics on how it affects you ?
CirrusHi,
Please find below the typical error message I receive (sorry it's in french) :
I receive this message after using fiddler with SSL inspection activated or when I'm redirected to a captive portal when trying to connect to the webui through an hotstop wifi.
After having one of those two events, I can't connect anymore to the mgmt webui on chrome. I have to clear my hsts cache to be able to reconnect.
I can handle it, but after so many time, I would like to find a solution that prevent me to clear caches.
CumulonimbusIt does not sound like an HSTS issue to me. The only English word in that error message is telling: "NET::ERR_CERT_AUTHORITY_INVALID".
CirrusHi, Of course the server certificate is invalid.
You can find the same issue in english, if you have a look at the last sentence, chrome clearly block the connection due to hsts use. :)
Clearly, I'm just refused connection to ssl servers that use hsts when using fiddler for example. I think that I visited the first time my website, I got a response with an hsts header included. When I try again through a proxy or wifi captive portal, the response doesn't contain the hsts header. In this case, chrome block access to the website.
I got the same when browsing with my Android smartphone.
EmployeeCirrusIs your management interface internet facing? (I ask this as you mentioned the wifi-hotspot intercept. We jumpbox ours so the management interface is never hit first, prior to logon, even through a hotspot.) I would not recommend disabling the feature.
Perhaps as an alternative if you do lots of work with Fiddler, is to not use Fiddler with the same browser as you use for managing your BIG-IP. Personally I've not seen this particular problem in action.
