bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default. - Tobias Geerinckx-Rice via Bug reports for GNU Guix

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org>
To: 37348@debbugs.gnu.org
Subject: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
Date: Tue,  2 Nov 2021 17:09:50 +0100	[thread overview]
Message-ID: <20211102160950.20467-1-me@tobias.gr> (raw)
In-Reply-To: <8736h643ke.fsf@rekahsoft.ca>

* hydra/nginx/berlin.scm (%berlin-servers): Add a default port-80 server
to redirect all requests to their HTTPS counterparts.  Remove explicit
HTTP support for guix.gnu.org and issues.guix.gnu.org.
---

All,

Like Chris I'm not convinced there was anything ‘missing’, but this is a
practice whose time has come and come again and left several voice mails
at this point.

People are going to keep asking for it.  The old ‘user choice’ argument
always rung hollow to me.  Shall we just do this?

This is a conservative patch: it only redirects guix.gnu.org and
issues.guix.gnu.org, the most (potential-)user-facing sites, to HTTPS.

CI should probably remain reachable over HTTP indefinitely.

Subprojects like GWL, friends like Bootstrappable, and anything else
retain ‘user choice’, until they opt in.

Kind regards,

T G-R

 hydra/nginx/berlin.scm | 42 +++++++-----------------------------------
 1 file changed, 7 insertions(+), 35 deletions(-)

diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 4713d7b..38854e3 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -797,31 +797,37 @@ PUBLISH-URL."
     (body (list "try_files $uri /$lang/$uri /$lang/$uri/index.html =404;")))
 
    (nginx-location-configuration                  ;certbot
     (uri "/.well-known")
     (body (list "root /var/www;")))))
 
 (define guix.gnu.org-locations
   (append guix.gnu.org-redirect-locations
           (guix.gnu.org-redirects-for-each-language)
           guix.gnu.org-other-locations))
 
 (define %publish-url "http://localhost:3000")
 
 (define %berlin-servers
   (list
-   ;; Plain HTTP
+   ;; Redirect domains that don't explicitly support HTTP (below) to HTTPS.
+   (nginx-server-configuration
+    (listen '("80"))
+    (raw-content
+     (list "return 308 https://$host$request_uri;")))
+
+   ;; Domains that still explicitly support plain HTTP.
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("ci.guix.gnu.org"))
     (locations (berlin-locations %publish-url))
     (raw-content
      (list
       "access_log  /var/log/nginx/http.access.log;"
       "proxy_set_header X-Forwarded-Host $host;"
       "proxy_set_header X-Forwarded-Port $server_port;"
       "proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("bootstrappable.org"
                    "www.bootstrappable.org"))
@@ -829,64 +835,30 @@ PUBLISH-URL."
     (raw-content
      (list
       "access_log /var/log/nginx/bootstrappable.access.log;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("disarchive.guix.gnu.org"))
     (root "/gnu/disarchive")
     (raw-content
      ;; Tell nginx to always read 'FILE.gz' when asked for 'FILE', and to
      ;; gunzip it on the fly (because the client for this typically doesn't
      ;; properly support gzip encoding).
      (list "gzip_static always; gunzip on;\n"
            "access_log /var/log/nginx/disarchive.access.log;")))
 
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("guix.gnu.org"))
-    (root "/srv/guix.gnu.org")
-    (locations guix.gnu.org-locations)
-    (raw-content
-     (list
-      "add_header Content-Security-Policy \"frame-ancestors 'none'\";"
-
-      ;; TODO This works around NGinx using the epoch for the
-      ;; Last-Modified date, as well as the etag.
-      ;; See http://issues.guix.gnu.org/37207
-      "add_header Last-Modified \"\";"
-      "if_modified_since off;"
-      "etag off;"
-
-      "rewrite (.*)/$ $1/index.html;"
-      "access_log /var/log/nginx/guix-info.access.log;")))
-
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("issues.guix.gnu.org"))
-    (root "/home/rekado/mumi/")
-    (locations
-     (list (nginx-location-configuration ;certbot
-            (uri "/.well-known")
-            (body (list "root /var/www;")))
-           (nginx-location-configuration
-            (uri "/")
-            (body '("proxy_pass http://localhost:1234;")))))
-    (raw-content
-     (list
-      "access_log /var/log/nginx/issues-guix-info.access.log;")))
-
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("guixwl.org"
                    "www.guixwl.org"))
     (root "/home/rekado/gwl/")
     (locations
      (list (nginx-location-configuration ;certbot
             (uri "/.well-known")
             (body (list "root /var/www;")))
 
            (nginx-location-configuration
             (uri "/manual")
             (body (list "alias /srv/gwl-manual;")))
 
            ;; Pass requests to 'guix workflow --web-interface'.

base-commit: 9782bc16ef4384171c7b7381ad27a4b9ba60ca61
-- 
2.33.0

next prev parent reply	other threads:[~2021-11-02 16:17 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-09  2:16 bug#37348: Force https redirect missing from ci, workflow and workflows guix.info sub-domains Collin J. Doering
2019-09-09  6:47 ` Christopher Baines
2021-11-02 16:09 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix [this message]
2021-11-03  1:06   ` bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-11-03  1:18     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-11-19 16:03   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:4713d7b dfblob:38854e3
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211102160950.20467-1-me@tobias.gr \
    --to=bug-guix@gnu.org \
    --cc=37348@debbugs.gnu.org \
    --cc=me@tobias.gr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).