2

I have a website with two different certificates. One for official use so the user doesn't see a self-signed alert. And one for internal use for private subdomains (for phpmyadmin, roundcube and so on). These subdomains are only for admin use, so it seems useless to me to spend money on a wildward-certificate. Therefor the wildcard-Certifitae is Self-Signed and I have memorized the hash.

Also I got an etherpad-Installation on that server on a different port than http (not a difefrent subdomain). Etherpad now seems to send this header "Strict-Transport-Security: max-age=31536000; includeSubDomains" which is just dumb, because i couldn't find an option to turn off the "includeSubDomains".

Now when I was in my pad and then try to use my admin-Subdomains I get an Error because of HSTS, without the option to set an exception and therefor these are now unusable for me.

Does somebody has an idea how I can get rid of the "includeSubDomains" in the etherpad installation?

I would be glad if someone could help me. Thank you.

mate
  • 339
  • 2
  • 10
  • Well you could modify the one location where this header is set … https://github.com/ether/etherpad-lite/search?utf8=%E2%9C%93&q=includeSubDomains – CBroe Mar 20 '15 at 16:17
  • Sure, but something native would be nicer. Isn't that overwritten if I pull from github for an update? – mate Mar 20 '15 at 16:21
  • Yes, of course you’d have to do that again if you update. If you don’t want that, then I think you might have to proxy the request, so that you can modify headers before they are send to the client … I don’t know if node.js provides another “layer” encapsulating such an app where you could do that otherwise. – CBroe Mar 20 '15 at 16:25
  • Disable SSL in Etherpad, put SSL on a reverse proxy (such as nginx) and then the header wont be applied. – John McLear Mar 24 '15 at 11:13

1 Answers1

0

It's a tad old, but I would like to point out the better alternative: install the certificate of the (self-signed) CA that you used to sign you own certificate as a trusted CA in your browser.

I just share the CA certificate on my webserver, and download/install it using the IP-address to avoid the HTST-trigger. You can point your browser to

http://1.2.3.4/my_certificate.pem

and your browser will ask you for what you want to use that certificate. If you set it to be allowed to sign websites, and the CN in your certificate matches the hostname your using it for (roundcube, phpmyadmin, etc), your browser will happily accept your self-signed certificates, even when HSTS is enabled.

Egbert
  • 11
  • 7
  • Yes, that would work. But I would consider it bad practice to ask all visitors to install a new certificate. Meanwhile there is luckily Let's encrypt. So its no big deal anymore to have a certificate for all subdomains. – mate May 20 '16 at 03:24