Freshrss: Suggestion: In FreshRSS docker image, disable HSTS

Hello,
Thanks for the suggestion.
FreshRSS does not send any HSTS header, so this is purely left to the Web server / proxy.
nginx is full of traps of this type, so I personally recommend Traefik as a reverse proxy (which works great with Docker).
I do not think we should start adding workarounds for nginx as it risks leading to other problems.

Yea, sorry, this is in the linuxserver/freshrss container. My guess is you don't maintain that. Got it.

Ah, indeed not. Our official Docker images are https://hub.docker.com/r/freshrss/freshrss

@cwldev just saw this and I'm a bit confused. In the first part, you mention having hsts turned on causes issues, but then you suggest adding a header to enable hsts.

First of all, let me make a clarification. Our freshrss image is using a built-in nginx instance to serve the app. But since you're talking about http to https redirect, I assume you have a separate reverse proxy in front of that (perhaps our letsencrypt/swag image?).

If you really want to enable hsts, do it on your reverse proxy instance, not in freshrss. But a word of caution, if you enable it with the includeSubDomains option, you will not be able to serve anything over http on that domain once the browser caches it.

You can clear hsts cache in chrome, but it's not part of the main browser cache, you have to go to a specific page: chrome://net-internals/#hsts. If it's preloaded (meaning built into the browser), you cannot disable hsts without terminating the preload first.

Our swag image contains the hsts header, but it is disabled by default. Only users who know what they are doing are recommended to enable it on their homelab.

Indeed, the key here is that I was using a non-official docker image. The
problem persists with other tools also, making a blended http/https setup a
challenge - bit none of this relates to the FreshRSS dev team. I thank you
for the response tho.

The hsts fun in other places (browser, reverse proxy, etc) is cleared up at
this point.

K

On Fri, Oct 30, 2020 at 8:41 AM aptalca notifications@github.com wrote:

@cwldev https://github.com/cwldev just saw this and I'm a bit confused.
In the first part, you mention having hsts turned on causes issues, but
then you suggest adding a header to enable hsts.

First of all, let me make a clarification. Our freshrss image is using a
built-in nginx instance to serve the app. But since you're talking about
http to https redirect, I assume you have a separate reverse proxy in front
of that (perhaps our letsencrypt/swag image?).

If you really want to enable hsts, do it on your reverse proxy instance,
not in freshrss. But a word of caution, if you enable it with the
includeSubDomains option, you will not be able to serve anything over
http on that domain once the browser caches it.

You can clear hsts cache in chrome, but it's not part of the main browser
cache, you have to go to a specific page: chrome://net-internals/#hsts.
If it's preloaded (meaning built into the browser), you cannot disable hsts
without terminating the preload first.

Our swag image contains the hsts header, but it is disabled by default.
Only users who know what they are doing are recommended to enable it on
their homelab.

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/FreshRSS/FreshRSS/issues/3187#issuecomment-719529432,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AA25B4M3Y7HBMZ3BRUGJ5PLSNKYARANCNFSM4RXB6VUQ
.

>

Composed on a mobile device.