Ping a Specific Port

Question

Lenne

Asked: 2017-11-07 03:09:29 +0800 CST2017-11-07 03:09:29 +0800 CST 2017-11-07 03:09:29 +0800 CST

hsts on main port 80, not on other ports

772

I have set hsts for my domain on the site http://server.mydom.tld:80, so the brower goes to port https://server.mydom.tld on port 443

However, I also have other webservers, running on other ports. So when I go to http://server.mydom.tld:8888 it gets forwarded to https://server.mydom.tld:8888, but that server does not run https, so the request fails.

Is that according to spec?

I noticed I don't run hsts on http://mydom.tld or http://www.mydom.tld, which is probably a mistake.

What to do?

3 Answers

Voted

argure · Answer 1 · 2017-11-08T10:49:53+08:00

Best Answer

argure

2017-11-08T10:49:53+08:002017-11-08T10:49:53+08:00

Yes, this is intentional. RFC 6797 states:

     The UA MUST replace the URI scheme with "https" [RFC2818], and

     if the URI contains an explicit port component of "80", then
     the UA MUST convert the port component to be "443", or>>

     if the URI contains an explicit port component that is not
     equal to "80", the port component value MUST be preserved;
     otherwise,

     if the URI does not contain an explicit port component, the UA
     MUST NOT add one.

     NOTE:  These steps ensure that the HSTS Policy applies to HTTP
            over any TCP port of an HSTS Host.

You should run plain HTTP services on a different domain, or even better, use a HTTP+TLS server as a reverse proxy to the internal plain HTTP service.

17

Somebody · Answer 2 · 2019-01-30T04:09:01+08:00

Somebody

2019-01-30T04:09:01+08:002019-01-30T04:09:01+08:00

The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

1

Lenne · Answer 3 · 2019-12-13T23:57:58+08:00

Lenne

2019-12-13T23:57:58+08:002019-12-13T23:57:58+08:00

If one really doesn't want to run https on another service, one could add an alias in the DNS, so https://server.domain.tld and http://service.domain.tld:8888 are on the same IP/server

Then it is possible to add a redirect from http://service.domain.tld and https://service.domain.tld to http://service.domain.tld:8888

0

hsts on main port 80, not on other ports

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?