Not sure about this. It should be a feature of web servers/reverse proxies, and browsers should honour the exact http commands in replies, imo.
Ah, it is kinda expected. I thought you had this kind of warning:
@swc-phil thank for this
I do need to learn how to reply like you do to message and answer correctly
After uninstalli8ng jellyfin app several times i am managing to fix jellyfin. Regardless i am accessing it from the truenas IP:8096
Now i’m left in properly configuring Tailscal app to allow me to access the Jellyfin web server app on truenas
Have a grate evening mate and again thank you all for your assistance and patience
1 Like
If you explicitly specify HTTP, browsers will generally honor that, but otherwise many are defaulting to HTTPS. And then there are extensions like HTTPS Everywhere that modify that behavior as well.
If you look at the beginning of this sub-tread – I did.
I am thinking about HSTS, but I am not sure if the TrueNAS webgui sets that up or not.
Good thinking. My server is sending a misconfigured HSTS header:
$ ./testssl.sh truenas.familybrown.org:444
#####################################################################
testssl.sh version 3.3dev from https://testssl.sh/dev/
(08ed5521 2025-10-13 22:10:44)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on pve4:./bin/openssl.Linux.x86_64
Testing all IPv4 addresses (port 444): 192.168.1.10
----------------------------------------------------------------------------------------
Start 2025-10-26 15:13:58 -->> 192.168.1.10:444 (truenas.familybrown.org) <<--
rDNS (192.168.1.10): truenas.familybrown.org. freenas2.familybrown.org.
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
QUIC not offered or timed out
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered
Obsoleted CBC ciphers (AES, ARIA etc.) not offered
Strong encryption (AEAD ciphers) with no FS not offered
Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
Testing server's cipher preferences
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
-
SSLv3
-
TLSv1
-
TLSv1.1
-
TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc0a3 DHE-RSA-AES256-CCM8 DH 2048 AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8
xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM
xc053 DHE-RSA-ARIA256-GCM-SHA384 DH 2048 ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
xc0a2 DHE-RSA-AES128-CCM8 DH 2048 AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8
xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM
xc052 DHE-RSA-ARIA128-GCM-SHA256 DH 2048 ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
TLSv1.3 (server order)
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
Has server cipher order? yes (OK) -- TLS 1.3 and below
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
FS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8
DHE-RSA-AES256-CCM DHE-RSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM
DHE-RSA-ARIA128-GCM-SHA256 ECDHE-ARIA128-GCM-SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192
TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512
RSA+SHA224
TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
Testing server defaults (Server Hello)
TLS extensions (standard) "server name/#0" "max fragment length/#1" "supported_groups/#10" "EC point formats/#11"
"application layer protocol negotiation/#16" "extended master secret/#23" "session ticket/#35"
"supported versions/#43" "key share/#51" "renegotiation info/#65281"
Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily
SSL Session ID support yes
Session Resumption tickets: yes, ID: yes
TLS 1.3 early data support no early data offered
TLS clock skew Random values, no fingerprinting possible
Certificate Compression none
Client Authentication none
Signature Algorithm SHA256 with RSA
Server key size RSA 2048 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial 05B3E1BBD3AA7F627CC455A3443451B92997 (OK: length 18)
Fingerprints SHA1 D98B72FA8E0A5BBF7FB0D52B27283C827ECC75D7
SHA256 47A35C811A4DEA0FAF18101172C0202808B2A394FDE84DA861D2414A0B54FE57
Common Name (CN) *.familybrown.org
subjectAltName (SAN) *.familybrown.org
Trust (hostname) Ok via SAN wildcard and CN wildcard (same w/o SNI)
wildcard certificate could be problematic, see other hosts at
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=47A35C811A4DEA0FAF18101172C0202808B2A394FDE84DA861D2414A0B54FE57
Chain of trust Ok
EV cert (experimental) no
Certificate Validity (UTC) expires < 30 days (25) (2025-08-23 11:06 --> 2025-11-21 11:06)
ETS/"eTLS", visibility info not present
Certificate Revocation List http://r13.c.lencr.org/24.crl
OCSP URI --
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) available - please check for match with "Issuer" below
issue=comodoca.com, issue=digicert.com;, issue=letsencrypt.org, issue=pki.goog;, issue=ssl.com,
issue=zerossl.com, issuewild=comodoca.com, issuewild=digicert.com;, issuewild=letsencrypt.org,
issuewild=pki.goog;, issuewild=ssl.com
Certificate Transparency yes (certificate extension)
Certificates provided 2
Issuer R13 (Let's Encrypt from US)
Intermediate cert validity #1: ok > 40 days (2027-03-12 23:59). R13 <-- ISRG Root X1
Intermediate Bad OCSP (exp.) Ok
Testing HTTP header response @ "/"
HTTP Status Code 302 Moved Temporarily, redirecting to "https://truenas.familybrown.org/ui/"
HTTP clock skew 0 sec from localtime
Strict Transport Security misconfiguration: \'0\' is not a valid max-age specification, includeSubDomains, preload
Public Key Pinning --
Server banner nginx
Application banner --
Cookie(s) (none issued at "/") -- maybe better try target URL of 30x
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Permissions-Policy:
geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()
X-XSS-Protection: 1; mode=block
Permissions-Policy:
geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()
Referrer-Policy: strict-origin
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
Opossum (CVE-2025-49812) not vulnerable (OK)
ROBOT Server does not support any cipher suites that use RSA key transport
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=47A35C811A4DEA0FAF18101172C0202808B2A394FDE84DA861D2414A0B54FE57
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no common prime detected
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
Winshock (CVE-2014-6321), experimental not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Running client simulations (HTTP) via sockets
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519)
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
IE 8 Win 7 No connection
IE 11 Win 7 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit DH
IE 11 Win 8.1 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit DH
IE 11 Win Phone 8.1 No connection
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519)
Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Java 7u25 No connection
Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256)
Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)
Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)
Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 90 (27)
Cipher Strength (weighted) 90 (36)
Final Score 93
Overall Grade A-
Grade warning HSTS max-age is misconfigured
Done 2025-10-26 15:14:54 [ 57s] -->> 192.168.1.10:444 (truenas.familybrown.org) <<--
----------------------------------------------------------------------------------------
Done testing now all IP addresses (on port 444): 192.168.1.10
I don’t see any place in the GUI to configure this, but I may be missing it.