Force https redirect missing from ci, workflow and workflows guix.info sub-domains

  • Done
  • quality assurance status badge
Details
3 participants
  • Collin J. Doering
  • Christopher Baines
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Collin J. Doering
Severity
normal
C
C
Collin J. Doering wrote on 9 Sep 2019 04:16
(address . bug-guix@gnu.org)
8736h643ke.fsf@rekahsoft.ca
Hi all,

Not sure where the best place to report this, however today I noticed
that ci.guix.info, workflow.guix.info and workflows.guix.info do not
redirect http to https, though its also served over https.

Kind regards,
--
Collin J. Doering

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+NVG868371PRtki+e03rkyErMCIFAl11tfEACgkQe03rkyEr
MCLttgf/bDwfsDvI+SFJWZ8Qm0wU+diCPtuRPrPCLZPY8ovK1IBsG+U/2RZcAs+w
1VG3YHsQ5fFxp+6wo2nSs3WJCwIdWkl0i6rqcrvUwczLue4qskhh4Ey2r392PcqV
Qng1wS1kfoRtMDuabxKmJRZb5IV6uR8YII0XHKppOzIheIXcugUnkDmqoZH8m+IE
HDSPgRLBMumU2zXC2mGd/3MJcS/2oSQ7XcpL5TYfAQ0dyjbw6/hRak+VxU+g3Qw9
kz1QXJ5NjHtLF6+7Za2d3Y9sC0b7up84MFKhqTKOwmNWS+qWmcce9fTS1bb0/axs
iZMCbEqGFGyQbLcP7ZL1qnuLkABuKg==
=YdOw
-----END PGP SIGNATURE-----

C
C
Christopher Baines wrote on 9 Sep 2019 08:47
(address . 37348@debbugs.gnu.org)
87h85mney7.fsf@cbaines.net
Collin J. Doering <collin@rekahsoft.ca> writes:

Toggle quote (4 lines)
> Not sure where the best place to report this, however today I noticed
> that ci.guix.info, workflow.guix.info and workflows.guix.info do not
> redirect http to https, though its also served over https.

I'm unsure if this is intentional, or something to change.

There are security advantages to forcing all users to use HTTPS, with
the disadvantage that some of those users might not want to use
HTTPS. I'm not sure whether the need for security on those domains is
high enough to justify not supporting plain HTTP...
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl119ZBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XeZnA//ectCSQ1pUy55pWjXxYfvfhNXYqvz79Vh0si0LJCpF3UhuVZZjq8j3D67
VSSMsT+9iqThmhrWu4Vl5dzJ9//jYZiGivgl4+ZF2b95BjT8FCT7+zA3xvwlNZ/A
/UPkxMLlO/3DTW3sB3Fx6wwr9zDOCBojAK5jxPa/hcuVbhGrzTK0m/tfLWJqjiaI
MjbxGqvroPTrKSZ8AekkeqYxsgvO9LsTqaSK1iGgaq42tf7+E67UHEvSLUE8gkn7
IpSK5hpQpdOqrYLCRpWqwW2bPqwro6Qbxrlp3nSlDjQtyAPH9oylk7AbnVEvEaiu
W9FimoCdsSLi8jChdY+xrIfN2GBlLJkFR6J90k2MiI5R/ojBq5DUzxQxQdd4JZ+B
ausRpy2o07hCWdVMQiRl1/B70ZxhCld9NC+tbebC9hcbKncscRopQSWzCPW6MnP7
Cg1j9GWSQQB2QTkp7Red7C8N1wE9TFpAkDWQEjJSHBv31/D0aXvqksu2Uf3RPFRQ
ua7CyqxdrNPec8U9jhSc/Kl/RF2WJAh0lDb67/5TWtBlLhPP49ZCOQDrwAL9c+QH
CYTyG++kOxbHmsZNRcUjXxM8LQXewqeLBrMaLe8U2gHwlyylhvC1hJ9B4+rz9pmh
dpCf9iiS8GawrpVnKTJTa46Omv9/V8ZdHXBFtYWb+Ac6VVSkpBs=
=OBPk
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 2 Nov 2021 17:09
[PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
(address . 37348@debbugs.gnu.org)
20211102160950.20467-1-me@tobias.gr
* hydra/nginx/berlin.scm (%berlin-servers): Add a default port-80 server
to redirect all requests to their HTTPS counterparts. Remove explicit
HTTP support for guix.gnu.org and issues.guix.gnu.org.
---

All,

Like Chris I'm not convinced there was anything ‘missing’, but this is a
practice whose time has come and come again and left several voice mails
at this point.

People are going to keep asking for it. The old ‘user choice’ argument
always rung hollow to me. Shall we just do this?

This is a conservative patch: it only redirects guix.gnu.org and
issues.guix.gnu.org, the most (potential-)user-facing sites, to HTTPS.

CI should probably remain reachable over HTTP indefinitely.

Subprojects like GWL, friends like Bootstrappable, and anything else
retain ‘user choice’, until they opt in.

Kind regards,

T G-R

hydra/nginx/berlin.scm | 42 +++++++-----------------------------------
1 file changed, 7 insertions(+), 35 deletions(-)

Toggle diff (112 lines)
diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 4713d7b..38854e3 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -797,31 +797,37 @@ PUBLISH-URL."
(body (list "try_files $uri /$lang/$uri /$lang/$uri/index.html =404;")))
(nginx-location-configuration ;certbot
(uri "/.well-known")
(body (list "root /var/www;")))))
(define guix.gnu.org-locations
(append guix.gnu.org-redirect-locations
(guix.gnu.org-redirects-for-each-language)
guix.gnu.org-other-locations))
(define %publish-url "http://localhost:3000")
(define %berlin-servers
(list
- ;; Plain HTTP
+ ;; Redirect domains that don't explicitly support HTTP (below) to HTTPS.
+ (nginx-server-configuration
+ (listen '("80"))
+ (raw-content
+ (list "return 308 https://$host$request_uri;")))
+
+ ;; Domains that still explicitly support plain HTTP.
(nginx-server-configuration
(listen '("80"))
(server-name '("ci.guix.gnu.org"))
(locations (berlin-locations %publish-url))
(raw-content
(list
"access_log /var/log/nginx/http.access.log;"
"proxy_set_header X-Forwarded-Host $host;"
"proxy_set_header X-Forwarded-Port $server_port;"
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")))
(nginx-server-configuration
(listen '("80"))
(server-name '("bootstrappable.org"
"www.bootstrappable.org"))
@@ -829,64 +835,30 @@ PUBLISH-URL."
(raw-content
(list
"access_log /var/log/nginx/bootstrappable.access.log;")))
(nginx-server-configuration
(listen '("80"))
(server-name '("disarchive.guix.gnu.org"))
(root "/gnu/disarchive")
(raw-content
;; Tell nginx to always read 'FILE.gz' when asked for 'FILE', and to
;; gunzip it on the fly (because the client for this typically doesn't
;; properly support gzip encoding).
(list "gzip_static always; gunzip on;\n"
"access_log /var/log/nginx/disarchive.access.log;")))
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("guix.gnu.org"))
- (root "/srv/guix.gnu.org")
- (locations guix.gnu.org-locations)
- (raw-content
- (list
- "add_header Content-Security-Policy \"frame-ancestors 'none'\";"
-
- ;; TODO This works around NGinx using the epoch for the
- ;; Last-Modified date, as well as the etag.
- ;; See http://issues.guix.gnu.org/37207
- "add_header Last-Modified \"\";"
- "if_modified_since off;"
- "etag off;"
-
- "rewrite (.*)/$ $1/index.html;"
- "access_log /var/log/nginx/guix-info.access.log;")))
-
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("issues.guix.gnu.org"))
- (root "/home/rekado/mumi/")
- (locations
- (list (nginx-location-configuration ;certbot
- (uri "/.well-known")
- (body (list "root /var/www;")))
- (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://localhost:1234;")))))
- (raw-content
- (list
- "access_log /var/log/nginx/issues-guix-info.access.log;")))
-
(nginx-server-configuration
(listen '("80"))
(server-name '("guixwl.org"
"www.guixwl.org"))
(root "/home/rekado/gwl/")
(locations
(list (nginx-location-configuration ;certbot
(uri "/.well-known")
(body (list "root /var/www;")))
(nginx-location-configuration
(uri "/manual")
(body (list "alias /srv/gwl-manual;")))
;; Pass requests to 'guix workflow --web-interface'.

base-commit: 9782bc16ef4384171c7b7381ad27a4b9ba60ca61
--
2.33.0
T
T
Tobias Geerinckx-Rice wrote on 3 Nov 2021 02:06
87ilxam46w.fsf@nckx
Damn,

Tobias Geerinckx-Rice via Bug reports for GNU Guix ???
Toggle quote (10 lines)
> This is a conservative patch: it only redirects guix.gnu.org and
> issues.guix.gnu.org, the most (potential-)user-facing sites, to
> HTTPS.
>
> CI should probably remain reachable over HTTP indefinitely.
>
> Subprojects like GWL, friends like Bootstrappable, and anything
> else
> retain ‘user choice’, until they opt in.

The current situation is actually more horked than that:

~ λ curl -LI https://gnu.org
HTTP/1.1 301 Moved Permanently
[…]
Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload

This is a great security policy! It also announces to the modern
world that *all* HTTP connections to *any* subdomain of gnu.org
should be silently upgraded to HTTPS.

If your UA honours this header and has ever visited gnu.org,
visiting http://ci.guix.gnu.orgshould not be possible. It will
immediately upgrade to HTTPS. Certificate errors can no longer be
bypassed. guix.gnu.org cannot relax this policy.

Now, for some reason, current Firefox doesn't seem to do any of
this (compatibility?) but it may only be a matter of time.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYYHiRw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW156/MA/jGe0pPAhCnUM7ru93JFTLnId7eqRuibxLP38gho
gSizAP9vcvv3TM2FgzT+a7ja326Kec1dR6PxfKVE+7A0RlD0Bw==
=0ZQL
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 3 Nov 2021 02:18
87ee7ym3ug.fsf@nckx
Toggle quote (4 lines)
> Now, for some reason, current Firefox doesn't seem to do any of
> this
> (compatibility?) but it may only be a matter of time.

Probably due to gnu.org wonkiness:

~ λ curl -LI https://www.gnu.org
[…]
Strict-Transport-Security: max-age=63072000

I.e., missing includeSubDomains, and (at least my) browser's
apparent urge to connect to www.gnu.org even when I type
https://gnu.org.

We can't keep relying on this, though.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYYHkBw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15W5MA/RB9ivagrCRr0JeMfQpxpOxbx6jQlVkrY1MTnTRY
hsG8AQCBUPIn2L8rC/7myDTPIFj6vgTIhjGIcMZRymkFb4AUCg==
=QO9B
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 19 Nov 2021 17:03
87bl2gf7yi.fsf@nckx
Tobias Geerinckx-Rice via Bug reports for GNU Guix ???
Toggle quote (6 lines)
> * hydra/nginx/berlin.scm (%berlin-servers): Add a default
> port-80 server
> to redirect all requests to their HTTPS counterparts. Remove
> explicit
> HTTP support for guix.gnu.org and issues.guix.gnu.org.

Pushed as 4015696e45c2242a2e7221c4f43231db5581bda4.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYZfK9Q0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15Y60BALTOium2cR3gUbDnQ5RdpcBWqI9+p+q5TIQeFx48
9BXvAQCgjPnoBjMMelhZNFdCKp89mdaL0kNQJoyJelc9fVxOBw==
=6f6q
-----END PGP SIGNATURE-----

?