Solved ASUS router page is "forced" to HTTPS and won't load

DoctorG

@t0yz I have no ASUS router but could it be that a security setting in router administration cause a redirect to SSL?

And my other idea is that such redirect is cached by Vivaldi.
Just clean this by:

Open vivaldi://net-internals
Select at left Domain Security Policy
Scroll down to Delete domain security policies
reads "Input a domain name to delete its dynamic domain security policies (HSTS and Expect-CT). (You cannot delete preloaded entries.):"
type router.asus.com in field Domain:
Hit Delete button

Pathduck

Not so sure it's Asus-specific.
But does look like a bug - specifically in Vivaldi Snapshot with the "Always use secure..." setting.

I do have a Asus router, and if I go to:
http://router.asus.com/
It does try to send me to:
Location: https://router.asus.com/

Request URL: http://router.asus.com/
Request Method: GET
Status Code: 307 Internal Redirect

The Internal Redirect here is from the browser, not the server.
This won't work for me because the router listens on 8443.

This is with the "Always use secure..." option OFF. Also checked in chrome://settings/security option is OFF.

Doing the same in Stable 5.4 I get the insecure http page - as expected.

It should also be noted that my Asus RT-AC66U is kind of old, and HTTPS has to be explicitly enabled and a port assigned. I use 8443 as they say : "Please use port 1025-65535". I'm assuming there's a technical reason why setting 443 is not recommended by Asus here. Newer Asus routers might have TLS enabled by default.

t0yz

@Pathduck said in ASUS router page is "forced" to HTTPS and won't load:

Not so sure it's Asus-specific.
But does look like a bug - specifically in Vivaldi Snapshot with the "Always use secure..." setting.

I do have a Asus router, and if I go to:
http://router.asus.com/
It does try to send me to:
Location: https://router.asus.com/
Request URL: http://router.asus.com/
Request Method: GET
Status Code: 307 Internal Redirect
The Internal Redirect here is from the browser, not the server.
This won't work for me because the router listens on 8443.

This is with the "Always use secure..." option OFF. Also checked in chrome://settings/security option is OFF.

Doing the same in Stable 5.4 I get the insecure http page - as expected.

It should also be noted that my Asus RT-AC66U is kind of old, and HTTPS has to be explicitly enabled and a port assigned. I use 8443 as they say : "Please use port 1025-65535". I'm assuming there's a technical reason why setting 443 is not recommended by Asus here. Newer Asus routers might have TLS enabled by default.

Mine is kinda old too, a RT-AC1200G+, but since it does 1Gbps just fine it's more than enough.
In Chrome settings page you linked, Always HTTPS was also turned off. Tried to enable/disable it, but it still redirects. So... I guess it's reasonable to assume the snapshot build is automatically using the setting even when disabled?

@yojimbo274064400 said in ASUS router page is "forced" to HTTPS and won't load:

Is Settings > Address Bar > Always Use Secure Connection (HTTPS), located under Security Features, selected?

Nope, mentioned it in the OP, even enabled/disabled it, but still nothing

@DoctorG said in ASUS router page is "forced" to HTTPS and won't load:

@t0yz I have no ASUS router but could it be that a security setting in router administration cause a redirect to SSL?

And my other idea is that such redirect is cached by Vivaldi.
Just clean this by:

Open vivaldi://net-internals

Select at left Domain Security Policy

Scroll down to Delete domain security policies
reads "Input a domain name to delete its dynamic domain security policies (HSTS and Expect-CT). (You cannot delete preloaded entries.):"

type router.asus.com in field Domain:

Hit Delete button

Thanks for this, didn't work sadly, still redirects to https

DoctorG

@t0yz And Vivaldi does not show any error page after such redirect?
If you get a error page, make a screenshot and leave image here.
If the error is related to certificate, you can add e exception for unsafe URLs. https://forum.vivaldi.net/post/612454
Perhaps you need a restart of Vivaldi.

pafflick

I've been using http://192.168.1.1/ as the bookmark for ages, as http://router.asus.com/ was always troublesome. Even now, I can't get it to work in any browser. Not sure if it's the particular model of my router, but it's the 3rd one from ASUS and they all seemed to have problems with the router.asus.com address. 192.168.1.1 has always been working reliably for me.
I wanted to test this, but it looks like I cannot. But it's not redirecting from HTTP to HTTPS here.

t0yz

@DoctorG I did this, still redirects to https:
Screenshot 2022-09-21 155415.png

@pafflick said in ASUS router page is "forced" to HTTPS and won't load:

I've been using http://192.168.1.1/ as the bookmark for ages, as http://router.asus.com/ was always troublesome. Even now, I can't get it to work in any browser. Not sure if it's the particular model of my router, but it's the 3rd one from ASUS and they all seemed to have problems with the router.asus.com address. 192.168.1.1 has always been working reliably for me.
I wanted to test this, but it looks like I cannot. But it's not redirecting from HTTP to HTTPS here.

On the snapshot? There's a post above where it says the stable version works. I should give that a shot too.

t0yz

The Stable Vivaldi, installed as standalone, does not redirect and works fine indeed. Snaphsot does not. Screenshot 2022-09-21 160127.png

DoctorG

@t0yz You need to add https://router.asus.com/

But i guess that will not help as your desktop firewall or router blocks this connection with Vivaldi.

t0yz

@DoctorG Tried it with https in that field and will not work.
I don't think it's my firewall nor the router, since it works in other browsers and in Vivaldi Stable. It's just the snapshot that insists on redirecting.
I mean, the router is set to http only, so yeah it will block a https attempt. But the redirect should not happen, I believe.
Screenshot 2022-09-21 160831.png

pafflick

@t0yz Yes, at first sight, it looks like a bug in the Snapshot version. But I can't say for sure, as the URL doesn't seem to work for me in any browser...

Pathduck

Interestingly, the issue does not show if going to a site that has only plain http. One would assume if there was a general bug it would also try to redirect to https on for instance:
http://textfiles.com
But it does not.

~~http://neverssl.com/online/~~ Edit: apparently these guys now have SSL...

So it appears this might only be for local addresses. It also does not try a redirect on http://localhost so it might have a special case for that as well.

DoctorG

@t0yz OK, if your router does not listen on port 443 for SSL you get no connection.

But Vivaldi does not redirect on its own to SSL (from http to https), that must be done by the router or the address router.asus.com is not really resolved as local and routed outside or some security tool on your PC does this.

t0yz

@Pathduck Can confirm all of the above. The textfiles.com site remains on http on the snapshot. localhost is not redirected either.
@DoctorG I don't really know why it happens but the stable Vivaldi is not exhibiting the behavior nor do other browsers, only the snapshot.

Pathduck

@DoctorG These are the request/response headers from a failing request to router.asus.com in Devtools/Network:

Request URL: http://router.asus.com/
Request Method: GET
Status Code: 307 Internal Redirect
Referrer Policy: strict-origin-when-cross-origin

Response:
Cross-Origin-Resource-Policy: Cross-Origin
Location: https://router.asus.com/
Non-Authoritative-Reason: HSTS

Request:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36

However, the Router does not send those Response headers, those are sent internally by the browser (307 Internal Redirect).

These are the actual response headers the router sends:

$ curl -I http://router.asus.com
HTTP/1.0 200 OK
Server: httpd/2.0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
Date: Wed, 21 Sep 2022 13:56:07 GMT
Content-Type: text/html
Connection: close

The browser also sends a Upgrade-Insecure-Requests header. But the router will ignore that:

$ curl -I -H "Upgrade-Insecure-Requests: 1" http://router.asus.com
HTTP/1.0 200 OK
Server: httpd/2.0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
Date: Wed, 21 Sep 2022 14:05:00 GMT
Content-Type: text/html
Connection: close

DoctorG

@Pathduck Strange, in 5.5.2801.15 i get this with Vivaldi, too.
Seems to be as 5.5 Snapshot issue!

Pathduck

@DoctorG Yes, I said so 5 hours ago

specifically in Vivaldi Snapshot

DoctorG

@Pathduck said in ASUS router page is "forced" to HTTPS and won't load:

I said so 5 hours ago

Sorry, i missed it.
Had you created a bug report yet?

t0yz

@Pathduck Thanks for taking a detailed look into this!

Pathduck

@DoctorG said in ASUS router page is "forced" to HTTPS and won't load:

Had you created a bug report yet?

Nah, I leave that up to @t0yz
After all, my router works fine on https://router.asus.com:8443/

Please read:

carefully and report the bug to Vivaldi bugtracker

DoctorG

@t0yz i ask internal team and create a report, you do not need to.