HSTS enabled by default
See original GitHub issueDescription:
The NGINX page config states that an HSTS header should be sent even when a self-signed certificate is present. This blocks the usage of the newly installed Jitsi instance until a Let’s Encrypt certificate (or any other valid certificate) is deployed.
Steps to reproduce:
- Install Jitsi as described in the official quick start documentation (https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart)
- Try opening your servers Jitsi URL without installing a Let’s Encrypt certificate prior to accessing the URL.
Expected behavior:
If a self-signed certificate is present on the host the HSTS header should not be sent since it will prevent access to the page with most browsers otherwise. Jitsi should be able to run with a self-signed certificate by default.
Actual behavior:
The HSTS header is set no matter what type of certificate is used. This is due to the line add_header Strict-Transport-Security "max-age=63072000" always;
within the file /etc/nginx/sites-available/<domain>.conf
Server information:
- Jitsi Meet version: jitsi-meet:all/stable 2.0.5142-1
- Operating System: Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster
Client information:
- Browser / app version: Google Chrome Version 87.0.4280.141 (Offizieller Build) (64-Bit)
- Operating System: Microsoft Windows Version 1909 (OS Build 18363.1256)
Additional information:
FYI: I seared the template file within all repos this organization has but couldn’t find one. I’ll leave that up to you.
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (5 by maintainers)
Top GitHub Comments
So docker uses a separate set of configuration files so this can be added there.
The issue opened is that HSTS is enabled by default, and it should be that way. Any PRs are welcome that you can select to not enable it, but that is a huge task and may break many things around the packaging and needs a lot of testing.