unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#37348: Force https redirect missing from ci, workflow and workflows guix.info sub-domains
@ 2019-09-09  2:16 Collin J. Doering
  2019-09-09  6:47 ` Christopher Baines
  2021-11-02 16:09 ` bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 2 replies; 6+ messages in thread
From: Collin J. Doering @ 2019-09-09  2:16 UTC (permalink / raw)
  To: 37348

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

Hi all,

Not sure where the best place to report this, however today I noticed
that ci.guix.info, workflow.guix.info and workflows.guix.info do not
redirect http to https, though its also served over https.

Kind regards,
-- 
Collin J. Doering

http://rekahsoft.ca
http://blog.rekahsoft.ca
http://git.rekahsoft.ca

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#37348: Force https redirect missing from ci, workflow and workflows guix.info sub-domains
  2019-09-09  2:16 bug#37348: Force https redirect missing from ci, workflow and workflows guix.info sub-domains Collin J. Doering
@ 2019-09-09  6:47 ` Christopher Baines
  2021-11-02 16:09 ` bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default Tobias Geerinckx-Rice via Bug reports for GNU Guix
  1 sibling, 0 replies; 6+ messages in thread
From: Christopher Baines @ 2019-09-09  6:47 UTC (permalink / raw)
  To: 37348

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

Collin J. Doering <collin@rekahsoft.ca> writes:

> Not sure where the best place to report this, however today I noticed
> that ci.guix.info, workflow.guix.info and workflows.guix.info do not
> redirect http to https, though its also served over https.

I'm unsure if this is intentional, or something to change.

There are security advantages to forcing all users to use HTTPS, with
the disadvantage that some of those users might not want to use
HTTPS. I'm not sure whether the need for security on those domains is
high enough to justify not supporting plain HTTP...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
  2019-09-09  2:16 bug#37348: Force https redirect missing from ci, workflow and workflows guix.info sub-domains Collin J. Doering
  2019-09-09  6:47 ` Christopher Baines
@ 2021-11-02 16:09 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2021-11-03  1:06   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2021-11-19 16:03   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  1 sibling, 2 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-11-02 16:09 UTC (permalink / raw)
  To: 37348

* hydra/nginx/berlin.scm (%berlin-servers): Add a default port-80 server
to redirect all requests to their HTTPS counterparts.  Remove explicit
HTTP support for guix.gnu.org and issues.guix.gnu.org.
---

All,

Like Chris I'm not convinced there was anything ‘missing’, but this is a
practice whose time has come and come again and left several voice mails
at this point.

People are going to keep asking for it.  The old ‘user choice’ argument
always rung hollow to me.  Shall we just do this?

This is a conservative patch: it only redirects guix.gnu.org and
issues.guix.gnu.org, the most (potential-)user-facing sites, to HTTPS.

CI should probably remain reachable over HTTP indefinitely.

Subprojects like GWL, friends like Bootstrappable, and anything else
retain ‘user choice’, until they opt in.

Kind regards,

T G-R

 hydra/nginx/berlin.scm | 42 +++++++-----------------------------------
 1 file changed, 7 insertions(+), 35 deletions(-)

diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 4713d7b..38854e3 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -797,31 +797,37 @@ PUBLISH-URL."
     (body (list "try_files $uri /$lang/$uri /$lang/$uri/index.html =404;")))
 
    (nginx-location-configuration                  ;certbot
     (uri "/.well-known")
     (body (list "root /var/www;")))))
 
 (define guix.gnu.org-locations
   (append guix.gnu.org-redirect-locations
           (guix.gnu.org-redirects-for-each-language)
           guix.gnu.org-other-locations))
 
 (define %publish-url "http://localhost:3000")
 
 (define %berlin-servers
   (list
-   ;; Plain HTTP
+   ;; Redirect domains that don't explicitly support HTTP (below) to HTTPS.
+   (nginx-server-configuration
+    (listen '("80"))
+    (raw-content
+     (list "return 308 https://$host$request_uri;")))
+
+   ;; Domains that still explicitly support plain HTTP.
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("ci.guix.gnu.org"))
     (locations (berlin-locations %publish-url))
     (raw-content
      (list
       "access_log  /var/log/nginx/http.access.log;"
       "proxy_set_header X-Forwarded-Host $host;"
       "proxy_set_header X-Forwarded-Port $server_port;"
       "proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("bootstrappable.org"
                    "www.bootstrappable.org"))
@@ -829,64 +835,30 @@ PUBLISH-URL."
     (raw-content
      (list
       "access_log /var/log/nginx/bootstrappable.access.log;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("disarchive.guix.gnu.org"))
     (root "/gnu/disarchive")
     (raw-content
      ;; Tell nginx to always read 'FILE.gz' when asked for 'FILE', and to
      ;; gunzip it on the fly (because the client for this typically doesn't
      ;; properly support gzip encoding).
      (list "gzip_static always; gunzip on;\n"
            "access_log /var/log/nginx/disarchive.access.log;")))
 
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("guix.gnu.org"))
-    (root "/srv/guix.gnu.org")
-    (locations guix.gnu.org-locations)
-    (raw-content
-     (list
-      "add_header Content-Security-Policy \"frame-ancestors 'none'\";"
-
-      ;; TODO This works around NGinx using the epoch for the
-      ;; Last-Modified date, as well as the etag.
-      ;; See http://issues.guix.gnu.org/37207
-      "add_header Last-Modified \"\";"
-      "if_modified_since off;"
-      "etag off;"
-
-      "rewrite (.*)/$ $1/index.html;"
-      "access_log /var/log/nginx/guix-info.access.log;")))
-
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("issues.guix.gnu.org"))
-    (root "/home/rekado/mumi/")
-    (locations
-     (list (nginx-location-configuration ;certbot
-            (uri "/.well-known")
-            (body (list "root /var/www;")))
-           (nginx-location-configuration
-            (uri "/")
-            (body '("proxy_pass http://localhost:1234;")))))
-    (raw-content
-     (list
-      "access_log /var/log/nginx/issues-guix-info.access.log;")))
-
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("guixwl.org"
                    "www.guixwl.org"))
     (root "/home/rekado/gwl/")
     (locations
      (list (nginx-location-configuration ;certbot
             (uri "/.well-known")
             (body (list "root /var/www;")))
 
            (nginx-location-configuration
             (uri "/manual")
             (body (list "alias /srv/gwl-manual;")))
 
            ;; Pass requests to 'guix workflow --web-interface'.

base-commit: 9782bc16ef4384171c7b7381ad27a4b9ba60ca61
-- 
2.33.0





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
  2021-11-02 16:09 ` bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2021-11-03  1:06   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2021-11-03  1:18     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2021-11-19 16:03   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  1 sibling, 1 reply; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-11-03  1:06 UTC (permalink / raw)
  Cc: 37348

[-- Attachment #1: Type: text/plain, Size: 1208 bytes --]

Damn,

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> This is a conservative patch: it only redirects guix.gnu.org and
> issues.guix.gnu.org, the most (potential-)user-facing sites, to 
> HTTPS.
>
> CI should probably remain reachable over HTTP indefinitely.
>
> Subprojects like GWL, friends like Bootstrappable, and anything 
> else
> retain ‘user choice’, until they opt in.

The current situation is actually more horked than that:

  ~ λ curl -LI https://gnu.org
  HTTP/1.1 301 Moved Permanently
  […]
  Strict-Transport-Security: max-age=63072000; includeSubDomains; 
  preload

This is a great security policy!  It also announces to the modern 
world that *all* HTTP connections to *any* subdomain of gnu.org 
should be silently upgraded to HTTPS.

If your UA honours this header and has ever visited gnu.org, 
visiting http://ci.guix.gnu.org should not be possible.  It will 
immediately upgrade to HTTPS.  Certificate errors can no longer be 
bypassed.  guix.gnu.org cannot relax this policy.

Now, for some reason, current Firefox doesn't seem to do any of 
this (compatibility?) but it may only be a matter of time.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
  2021-11-03  1:06   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2021-11-03  1:18     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 0 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-11-03  1:18 UTC (permalink / raw)
  Cc: 37348

[-- Attachment #1: Type: text/plain, Size: 476 bytes --]

> Now, for some reason, current Firefox doesn't seem to do any of 
> this
> (compatibility?) but it may only be a matter of time.

Probably due to gnu.org wonkiness:

  ~ λ curl -LI https://www.gnu.org
  […]
  Strict-Transport-Security: max-age=63072000

I.e., missing includeSubDomains, and (at least my) browser's 
apparent urge to connect to www.gnu.org even when I type 
https://gnu.org.

We can't keep relying on this, though.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
  2021-11-02 16:09 ` bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2021-11-03  1:06   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2021-11-19 16:03   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  1 sibling, 0 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-11-19 16:03 UTC (permalink / raw)
  Cc: 37348-done, 37348

[-- Attachment #1: Type: text/plain, Size: 359 bytes --]

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> * hydra/nginx/berlin.scm (%berlin-servers): Add a default 
> port-80 server
> to redirect all requests to their HTTPS counterparts.  Remove 
> explicit
> HTTP support for guix.gnu.org and issues.guix.gnu.org.

Pushed as 4015696e45c2242a2e7221c4f43231db5581bda4.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-11-19 16:04 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-09  2:16 bug#37348: Force https redirect missing from ci, workflow and workflows guix.info sub-domains Collin J. Doering
2019-09-09  6:47 ` Christopher Baines
2021-11-02 16:09 ` bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-11-03  1:06   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-11-03  1:18     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-11-19 16:03   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).