16
General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx
« on: February 21, 2019, 11:46:07 pm »
It is not apparent that the little refresh icon is suppose to save the configuration. If the button that says "Save changes" doesn't save the changes, why would a user click on a refresh icon that has no tooltip. It would be really helpful if you made the Save changes button actually update the configuration.
Personally, I think HSTS should be off by default. It's too easy to mess up when testing and you're unable to get yourself corrected without digging into your browser. But if you're going to have it enabled, I think it would be very helpful to make it easy to disable. It's clearly labeled in the System:Settings:Administration "Enable HTTP Strict Transport Security" but I can't find it in nginx. There is a place in the Location that says "Force HTTPS" but disabling it doesn't appear to change HSTS, nor does the option in HTTP Server that says "HTTPS Only". It makes sense that it might be in the Security Headers section, but I don't see where it's listed. In fact, turning off the Security Policy has no effect on HSTS. There is the option for "Strict Transport Security: Time" and "Strict Transport Security: Include Subdomains", but nothing to actually turn it off. I guess I could set Time to 0? I could manually edit the nginx.cfg, but I want this to be able to survive config changes via the gui and opnsense updates.
Personally, I think HSTS should be off by default. It's too easy to mess up when testing and you're unable to get yourself corrected without digging into your browser. But if you're going to have it enabled, I think it would be very helpful to make it easy to disable. It's clearly labeled in the System:Settings:Administration "Enable HTTP Strict Transport Security" but I can't find it in nginx. There is a place in the Location that says "Force HTTPS" but disabling it doesn't appear to change HSTS, nor does the option in HTTP Server that says "HTTPS Only". It makes sense that it might be in the Security Headers section, but I don't see where it's listed. In fact, turning off the Security Policy has no effect on HSTS. There is the option for "Strict Transport Security: Time" and "Strict Transport Security: Include Subdomains", but nothing to actually turn it off. I guess I could set Time to 0? I could manually edit the nginx.cfg, but I want this to be able to survive config changes via the gui and opnsense updates.