About the Disabling task
Disable HTTPS with HSTS for the OpsCenter server. To disable HTTPS without HSTS, simply comment out the SSL entries. If HTTPS is used in an HSTS environment, follow the steps in this procedure to phase out the HSTS header before altogether disabling HTTPS with HSTS.
Prerequisites
Removing HTTPS from an OpsCenter server is an uncommon action in production systems, but may be necessary during development and testing.
HSTS complicates the process of disabling HTTPS because browsers that have recently received an HSTS header will refuse to connect to OpsCenter over unencrypted HTTP even if the HTTPS service has been disabled.
When disabling HTTPS with HSTS, first lower hsts_max_age
to a very small value such as 10 seconds (the default is 31536000 seconds, which equates to 1 year).
Drastically lowering the value effectively disables HSTS on each browser that subsequently connects to OpsCenter and receives the updated header, ensuring that the header expires almost immediately.
Continue to run OpsCenter with HTTPS enabled and a very short hsts_max_age
for a sufficient period of time so that all browsers that visit OpsCenter receive the updated header.
At that point, HTTPS and HSTS can be disabled entirely without disrupting the ability of supported browsers to connect to Opscenter.
If HTTPS has already been disabled and browsers are currently unable to connect to OpsCenter, the following options are available:
-
HTTPS can be re-enabled and
hsts_max_age
lowered as described above. -
Manually clear the HSTS header cache in browsers. This requires visiting every browser that accesses OpsCenter, and referring to browser manufacturer documentation on clearing the HSTS header cache.
Procedure
-
Locate the OpsCenter opscenterd.conf file to edit. The location of this file depends on the type of installation:
-
Package installations: /etc/opscenter/opscenterd.conf
-
Tarball installations: install_location/conf/opscenterd.conf
-
-
Open the configuration file, opscenterd.conf.
-
In the
[webserver]
section, make the following changes as appropriate:-
If HSTS is enabled with a long max age, lower the
hsts_max_age
value. -
Save opscenterd.conf and restart OpsCenter.
-
Run OpsCenter in this state for a while until you’re confident that all browser clients have connected and received updated hsts-headers with a short max-age.
-
-
Open opscenterd.conf again. Comment out the ssl and max age options. Set
hsts_enabled
toFalse
(or comment out) as shown in the following example:[webserver] port = 8888 interface = 127.0.0.1 #ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key #ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem #ssl_port = 8443 hsts_enabled = False #hsts_max_age = 31536000
-
Save opscenterd.conf and restart OpsCenter.
If any clients with HSTS headers are unable to connect, either re-enable https with a short max age or consult your browser vendor docs about clearing the HSTS header cache.