HSTS and HTTPS redirect fixes for cockpit, .onion domains (!2178) · Merge requests · FreedomBox / FreedomBox

Sunil Mohan Adapa requested to merge sunilmohan/freedombox:cockpit-https-redirect into master Jan 20, 2022

Cockpit uses WebSockets which won't work without HTTPS. For .onion domains, we are not explicitly redirecting to HTTPS since TLS is not necessary. Ensure that Cockpit continues to work with .onion domains by explicitly redirecting to HTTPS.

When HSTS is set, there is no way to override the certificate warnings. LE does not yet issue certificates for .onion domains. Certificate warnings are certainly show there. Although browsers don't accept HSTS headers when the certificate is invalid, it is best be safe and not set them for .onion domains.

CC: @nbenedek, this is related to your pull request !2172 (closed). Feel free to review these changes and comment.

HSTS and HTTPS redirect fixes for cockpit, .onion domains

Merge request reports