From c12cf25ecdf87d379ee7fb8069159e98f6fd4183 Mon Sep 17 00:00:00 2001
From: iliajie <gpg@ilia.engineer>
Date: Mon, 12 Sep 2022 14:52:03 +0300
Subject: [PATCH] Tell browser to unset HSTS policy to make non-SSL URL work

---
 webmin/change_ssl.cgi | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/webmin/change_ssl.cgi b/webmin/change_ssl.cgi
index 1ce056007..1c804f8ac 100755
--- a/webmin/change_ssl.cgi
+++ b/webmin/change_ssl.cgi
@@ -70,7 +70,13 @@ $SIG{'TERM'} = 'IGNORE';	# stop process from being killed by restart
 &restart_miniserv();
 &webmin_log("ssl", undef, undef, \%in);
 
-$url = "$ENV{'SERVER_NAME'}:$miniserv{'port'}/webmin/";
-if ($in{'ssl'}) { &redirect("https://$url"); }
-else { &redirect("http://$url"); }
+$url = "$ENV{'SERVER_NAME'}:$miniserv{'port'}";
+if ($in{'ssl'}) {
+	&redirect("https://$url");
+	}
+else {
+	# Tell browser to unset HSTS policy to make non-SSL URL work 
+	print "Strict-Transport-Security: max-age=0; includeSubDomains\n";
+    &redirect("http://$url");
+	}