Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Thu May 11, 2023 10:47 Post subject: [SOLVED]Lighttpd's SSL port... port 443? Or 454? Firefox?
Is it 443 or 454?
Trying to redirect all http traffic to https using mod_redirect, they were redirected to port 454 instead of port 443!!!
Is the number "454" hard-coded in the source codes of lighttpd (including mod_redirect.c) somewhere to prevent conflict with WEBUI's default https port? Or maybe some hidden URL rewriting somewhere in the source codes?
nvram show didn't show any variables with the value "454"! All Google Search results said the default SSL port of Lighttpd is 443 not 454.
(Edit: On second thought, does this mean Lighttpd of DD-WRT is listening on 2 SSL ports? And indeed it does, after checking "netstat -anp | grep lighttpd"! BUT, I am using my custom /jffs/etc/lighttpd.conf. Never mind, that's because I added rules to handle port 454. Going back to /tmp/lighttpd.conf still mod_redirect-ed to https port 454. Sorry, ignore this part!)
That's why it's strange! "'nvram show" didn't list any entry with value "454" nor "8000". And Lighttpd was indeed listening at port 443 (https) and 80 (http). I dunno why the http->https redirect rule went to port 454. The redirected URL was displayed by Firefox as "https://my_fqdn:454".
If it's not hard-coded in the source codes of Lighttpd (including mod_rewrite.c and mod_redirect.c) ..... um....
edit:
Could it be noip.com's problem? But I didn't do any port redirection to 454... _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Fri May 12, 2023 8:21 Post subject:
It seemd that it's a Firefox problem, maybe one of the add-ons. If I used Private Window in Firefox, everything mostly worked as expected.
Disbaling ALL add-ons did not solve the problem. Disabling security and privacy features in Firefox settings also didn't help.
On careful inspection, Firefox reached out to "googleusercontent.com" when I typed the FQDN (via DDNS noip.com) to access the non-HTTPS version of my Lighttpd website. That's when port :454 was displayed at the URL bar.
Google Search had no results for "firefox port 454" and "firefox redirect 454". There are some results about "firefox http redirect", and Firefox does prefer HTTPS over HTTP in recent updates. And there is now a HTTPS-only mode.
Why port 454 instead of port 443? Why it happened to my non-HTTPS DDNS URL but not other non-HTTPS websites? Or could it be noip.com's redirection? Still a mystery....
I could enable port 454 for HTTPS in lighttpd.conf, BUT why? Just because of this?
(edited on 23:09 HKT of 12 May 2023) _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Instead of older Firefox, a profile mess, settings, about:config, try alternative fork Pale Moon or Waterfox Classic.
As for reaching out to google, maybe this is related to HSTS or "HTTP Strict Transport Security" just a guess now.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Fri May 12, 2023 17:16 Post subject:
blkt wrote:
Instead of older Firefox, a profile mess, settings, about:config, try alternative fork Pale Moon or Waterfox Classic.
As for reaching out to google, maybe this is related to HSTS or "HTTP Strict Transport Security" just a guess now.
Thanks.
Switching from Firefox to another browser is basically the same as clearning history and everything.
So I went clearing everything in Firefox's history except cookies, and now everything worked as expected and without using Private Window.
I am very sure that I have NEVER used ":454" in the URL bar before. How come it was suggested by Firefox before I cleared history? How come it happened only to my DDNS domain? And when doing URL redirection!? Still a mystery....
Unless someone somehow tampered with my Firefox .... someone was uploading data via my Firefox to Azure cloud which seemed to be using port 454? I do NOT use any Cloud storage.
And while I was still trouble-shooting the problem and before clearing history, Firefox released an update "113.0.1". What an coincidence, and one more mystery.... _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Clearing history certainly worth it but to clarify not same as trying different browsers forked from older codebase.
Port situation probably google HSTS related not the preload list but another that Firefox populates can be cleared.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Fri May 12, 2023 17:40 Post subject:
blkt wrote:
Clearing history certainly worth it but to clarify not same as trying different browsers forked from older codebase.
Port situation probably google HSTS related not the preload list but another that Firefox populates can be cleared.
I think I need to reinstall Windows, just to really flush everything secretly added while I was away from my computer and my home.
But if the cultpit was Firefox, how many more strangeness was buried in its source codes? Would other browsers also have these tricks? Well....
As I said before, I don't use port 454. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri May 12, 2023 19:49 Post subject:
Nothing to do with the HSTS API that I'm aware of, but I'm not digging through Mozilla's or Google's code for hours looking, nor am I going to dissect lighttpd's source code.
Azure HSTS security is on ports 454 and 455; depending on settings Firefox is likely attempting something similar.
Since all history was cleared except cookies, specifically Site Preferences cleared list SiteSecurityServiceState.txt.
To do manually select right click an item in history to Forget About This Site. BTW the above HSTS list is cleartext.
Pale Moon at least encrypts this list, as is far more security focused, of course can always disable HSTS if needed.
Firefox has a history of removing functionality in about:config no effect or deprecating or deleting items so YMMV.
Anyway, you already know about conflicts both 80 and 443 so dd-wrt ports should be moved or to disable webUI.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Sat May 13, 2023 8:57 Post subject:
kernel-panic69 wrote:
Nothing to do with the HSTS API that I'm aware of, but I'm not digging through Mozilla's or Google's code for hours looking, nor am I going to dissect lighttpd's source code.
blkt wrote:
Azure HSTS security is on ports 454 and 455; depending on settings Firefox is likely attempting something similar.
Well yes, if your domain is in google preload list that will be a very different story. For example one of the domains
for netgear extender is now in the preload list, so no longer possible to add server exception in certificate manager.
Many options in about:config to adjust behaviors for http, https, hsts, preload, certs, root, security, privacy, isolate,
etc. It is easy to mess up but in your case just make sure if accessing https to forget or clear for future http usage.
If you set an alternative browser to never remember history effectively enabling private browsing mode this works.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Sun May 14, 2023 6:35 Post subject:
blkt wrote:
Well yes, if your domain is in google preload list that will be a very different story. For example one of the domains
for netgear extender is now in the preload list, so no longer possible to add server exception in certificate manager.
Many options in about:config to adjust behaviors for http, https, hsts, preload, certs, root, security, privacy, isolate,
etc. It is easy to mess up but in your case just make sure if accessing https to forget or clear for future http usage.
If you set an alternative browser to never remember history effectively enabling private browsing mode this works.
Got it. This is also my first time deploying Lighttpd and in DD-WRT. If I didn't mess with mod_redirect... _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!