I have a haproxy-ssl-terminated (haproxy 1.5.8 2014/10/31, debian jessie stock) test website, where the certificate expired. I'd like to be able to use the site while the new certificate arrives, but chrome and firefox tell me I have HSTS enabled. I looked up what I would have needed to enable HSTS in haproxy, but it seems to me, that I have none of the relevant lines in my haproxy.conf. Also, I do not see any trace of the relevant Strict-Transport-Security header, neither when using chrome/firefox inspector nor using curl.
The headers I get when using curl --insecure -i https://.... are:
Date: Mon, 02 Jul 2018 07:27:31 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 08:54:36 GMT
Vary: Accept-Encoding
Content-Type: text/html
X-Varnish: 296609
Age: 0
Via: 1.1 varnish-v4
ETag: W/"962f-56fc3ff5ab00b-gzip"
Transfer-Encoding: chunked
Connection: close
Accept-Ranges: bytes
Set-Cookie: ServerID=A; path=/
Cache-control: private
How can I disable HSTS temporarily? How can I detect whet causes HSTS to be enable in the first place?
Best Answer
As we can see from your
curloutput, there's currently noStrict-Transport-Securityheader. In HAProxy, there would have beenhttp-response set-header Strict-Transport-Security ...in the configuration.It has been there before, possibly on times before you had the HAProxy in front of the web server. That's before HSTS is by design cached by the browser for
max-age=seconds. If you had there there e.g.max-age=31536000, it was cached for a year counting from last presence of the header.You can't disable HSTS temporarily from server side by removing the header. You need to renew your certificates earlier so that the new certificate will arrive before the old expires. Even better: automate your renewing process, like the Certbot does for Let’s Encrypt certificates.