Disabling HTTPS with HSTS for the OpsCenter Server
Disable HTTPS with HSTS for the OpsCenter server.
Prerequisites
Removing HTTPS from an OpsCenter server is an uncommon action in production systems,
but may be necessary during development and testing. HSTS complicates the process of
disabling HTTPS because browsers that have recently received an HSTS header will
refuse to connect to OpsCenter over unencrypted HTTP even if the HTTPS service has
been disabled. When disabling HTTPS with HSTS, first lower
hsts_max_age
to a very small value such as 10 seconds (the
default is 31536000 seconds, which equates to 1 year). Drastically lowering the
value effectively disables HSTS on each browser that subsequently connects to
OpsCenter and receives the updated header, ensuring that the header expires almost
immediately. Continue to run OpsCenter with HTTPS enabled and a very short
hsts_max_age
for a sufficient period of time so that all
browsers that visit OpsCenter receive the updated header. At that point, HTTPS and
HSTS can be disabled entirely without disrupting the ability of supported browsers
to connect to Opscenter.
- HTTPS can be re-enabled
and
hsts_max_age
lowered as described above. - Manually clear the HSTS header cache in browsers. This requires visiting every browser that accesses OpsCenter, and referring to browser manufacturer documentation on clearing the HSTS header cache.
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:
- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations: install_location/conf/opscenterd.conf