Certbot service: no http -> https redirection

Certbot service: no http -> https redirection

[divoplade]

Dear guix,

I have a certbot service with a nginx service. If I understand
correctly, certbot should hack the nginx configuration in order to
register itself for all .well-known/acme-challenge (I'm not sure for
the path syntax, but that's not the point) requests, and basically
redirect all other HTTP requests to HTTPS.

However, my system does not seem to do that.

How does guix know that my web server configuration needs to be
extended with certbot's anyway? Should I add a configuration entry?

For now my web configuration is:
https://code.divoplade.fr/divoplade-site.git/tree/divoplade/services/web.scm

Notice that there's no configuration entry for certbot.

My certbot configuration is:
https://code.divoplade.fr/divoplade-site.git/tree/divoplade/services/certbot.scm

Best regards,

divoplade

Re: Certbot service: no http -> https redirection

[jbranso]

Perhaps my guix configuration will help you figure out how to write your config.scm properly.  The below file is what's running gnucode.me

https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm

Best of luck,

Joshua

Re: Certbot service: no http -> https redirection

[divoplade]

Hello Joshua,

Le mardi 20 octobre 2020 à 09:42 +0000, jbranso@dismail.de a écrit :
> gnucode.me

I think you have the same problem. This site does not have HTTPS
automatic redirection.

www.gnu-hurd.com does try to do HTTPS redirection though (be careful,
you don't have a valid certificate), which is very puzzling to me.

Anyway, I see you do these redirections yourself. So I will do the
same.

Best regards,

divoplade

Re: Certbot service: no http -> https redirection

[Julien Lepiller]

Weird, I have the certbot and nginx services, and I don't need to redirect manually: https://git.lepiller.eu/system-configuration/tree/-/systems/ene.scm

Le 20 octobre 2020 06:17:00 GMT-04:00, divoplade <d@divoplade.fr> a écrit :
>Hello Joshua,
>
>Le mardi 20 octobre 2020 à 09:42 +0000, jbranso@dismail.de a écrit :
>> gnucode.me
>
>I think you have the same problem. This site does not have HTTPS
>automatic redirection.
>
>www.gnu-hurd.com does try to do HTTPS redirection though (be careful,
>you don't have a valid certificate), which is very puzzling to me.
>
>Anyway, I see you do these redirections yourself. So I will do the
>same.
>
>Best regards,
>
>divoplade

Re: Certbot service: no http -> https redirection

[Joshua Branson]

Oh, now that you guys mention it, isn't a http to https re-direct a
potential security risk, via a man in the middle attack?

-- 
Joshua Branson
Sent from Emacs and Gnus
https://gnucode.me
https://video.hardlimit.com/accounts/joshua_branson/video-channels
"You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar

Re: Certbot service: no http -> https redirection

[Julien Lepiller]

Le 20 octobre 2020 14:34:29 GMT-04:00, Joshua Branson <jbranso@dismail.de> a écrit :
>
>Oh, now that you guys mention it, isn't a http to https re-direct a
>potential security risk, via a man in the middle attack?

How could it be worse than serving your site on http?

Re: Certbot service: no http -> https redirection

[Joshua Branson]

Well I serve my sites on https.  If you access the https version, then
the browser will redirect you to the https version.

--
Joshua Branson
Sent from Emacs and Gnus
https://gnucode.me
https://video.hardlimit.com/accounts/joshua_branson/video-channels
"You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar