Apache2 / HSTS Problem

Hello,

I have a problem with HSTS on my Apache2 server:

I run a Nextcloud server at home on Debian 10 which is accessible from the internet via DynDNS. A redirect to HTTPS and the associated certificates to the domain are set up via Letsencrypt.

From the Internet everything works
From the LAN / WLAN everything works too

Problem: I have set up a "Private DNS" on my Android smartphone (dnsforge.de). Now when I access the Nextcloud with the Android device https://www.sascha-kissner.de/nextcloud I get the message:

You cannot visit www.sascha-kissner.de right now because the website uses HSTS

My Apache ssl.conf states:

<IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
                Header always set X-Frame-Options "sameorigin"

Does anyone have an idea what is wrong here or where I can still look? I would like to continue using the "Private DNS" under Android.

Thanks for your tips.

1 Like

I don't see how this relates to the cert or even HSTS though. HSTS just says the client (browser) should use https for future requests even if http requested.

Maybe something to do with your server sending http error 500?

curl -I  https://www.sascha-kissner.de/nextcloud

HTTP/2 500
date: Fri, 14 Jan 2022 16:30:45 GMT
server: Apache
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
...

Or, maybe try a support forum for the "Private DNS" product you are using?

2 Likes

Are you using a proxy?

1 Like

Sorry, wrong URL, my typo error .. I'm using "newcloud" instead of "nextcloud" so the correct URL would be:

https://www.sascha-kissner.de/newcloud

1 Like

No Proxy here.

I think something with certificate / webserver configuration but I don't know where to ask and where to look for help :frowning:

1 Like

HSTS breaks all MITM (including proxies).
There must be more to that "Private DNS" system than you are aware of.

See:

3 Likes

It's the "Privat DNS" System provided by Android. So is basically uses a "different" DNS than that provided by your WiFi / Network Provider and it encrypts it using "DNS over TLS".

The "curious" thing is, that "Private DNS" works if I'm using it outside my LAN/WiFi Networg (e. g. mobile Data). It's just not working "inside" my LAN/WiFi

1 Like

Does the "Private DNS" system return the same IP (as the "Public DNS" system) ?
If not, then there is a MITM.

1 Like

Yes, it does return the same IP Adress. But you're pointing me in another way. I'll have to check the configuration of my Pi-Hole ... maybe I was mislead by the "HSTS" message.

Thx

2 Likes

this feels somewhat like hairpin nat problem? when you use private dns it will reply your public address, which may not redirected to your server if it's used from inside.

3 Likes

Okay, that sounds like the same situation. But how to solve that? Does the gateway / router (FritzBox) has to solve this or the server?

1 Like

from a german forum, hat die Fritzbox 6590 eine Nat Loopback bzw.Hairpinning-Unterst├╝tzung?
you will need to disable DNS rebind protection for that domain
Heimnetz -> Netzwerk├╝bersicht -> Netzwerkeinstellungen -> DNS-Rebind-Schutz
or what google translater said for upper,
Home network -> Network overview -> Network settings -> DNS rebind protection

2 Likes