GNU bug report logs - #37348
Force https redirect missing from ci, workflow and workflows guix.info sub-domains

Previous Next

Package: guix;

Reported by: "Collin J. Doering" <collin <at> rekahsoft.ca>

Date: Mon, 9 Sep 2019 02:50:02 UTC

Severity: normal

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 37348 in the body.
You can then email your comments to 37348 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Mon, 09 Sep 2019 02:50:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Collin J. Doering" <collin <at> rekahsoft.ca>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 09 Sep 2019 02:50:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "Collin J. Doering" <collin <at> rekahsoft.ca>
To: bug-guix <at> gnu.org
Subject: Force https redirect missing from ci,
 workflow and workflows guix.info sub-domains
Date: Sun, 08 Sep 2019 22:16:17 -0400
[Message part 1 (text/plain, inline)]
Hi all,

Not sure where the best place to report this, however today I noticed
that ci.guix.info, workflow.guix.info and workflows.guix.info do not
redirect http to https, though its also served over https.

Kind regards,
-- 
Collin J. Doering

http://rekahsoft.ca
http://blog.rekahsoft.ca
http://git.rekahsoft.ca
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Mon, 09 Sep 2019 06:48:02 GMT) Full text and rfc822 format available.

Message #8 received at 37348 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: 37348 <at> debbugs.gnu.org
Subject: Re: bug#37348: Force https redirect missing from ci,
 workflow and workflows guix.info sub-domains
Date: Mon, 09 Sep 2019 07:47:44 +0100
[Message part 1 (text/plain, inline)]
Collin J. Doering <collin <at> rekahsoft.ca> writes:

> Not sure where the best place to report this, however today I noticed
> that ci.guix.info, workflow.guix.info and workflows.guix.info do not
> redirect http to https, though its also served over https.

I'm unsure if this is intentional, or something to change.

There are security advantages to forcing all users to use HTTPS, with
the disadvantage that some of those users might not want to use
HTTPS. I'm not sure whether the need for security on those domains is
high enough to justify not supporting plain HTTP...
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Tue, 02 Nov 2021 16:10:02 GMT) Full text and rfc822 format available.

Message #11 received at 37348 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 37348 <at> debbugs.gnu.org
Subject: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
Date: Tue,  2 Nov 2021 17:09:50 +0100
* hydra/nginx/berlin.scm (%berlin-servers): Add a default port-80 server
to redirect all requests to their HTTPS counterparts.  Remove explicit
HTTP support for guix.gnu.org and issues.guix.gnu.org.
---

All,

Like Chris I'm not convinced there was anything ‘missing’, but this is a
practice whose time has come and come again and left several voice mails
at this point.

People are going to keep asking for it.  The old ‘user choice’ argument
always rung hollow to me.  Shall we just do this?

This is a conservative patch: it only redirects guix.gnu.org and
issues.guix.gnu.org, the most (potential-)user-facing sites, to HTTPS.

CI should probably remain reachable over HTTP indefinitely.

Subprojects like GWL, friends like Bootstrappable, and anything else
retain ‘user choice’, until they opt in.

Kind regards,

T G-R

 hydra/nginx/berlin.scm | 42 +++++++-----------------------------------
 1 file changed, 7 insertions(+), 35 deletions(-)

diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 4713d7b..38854e3 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -797,31 +797,37 @@ PUBLISH-URL."
     (body (list "try_files $uri /$lang/$uri /$lang/$uri/index.html =404;")))
 
    (nginx-location-configuration                  ;certbot
     (uri "/.well-known")
     (body (list "root /var/www;")))))
 
 (define guix.gnu.org-locations
   (append guix.gnu.org-redirect-locations
           (guix.gnu.org-redirects-for-each-language)
           guix.gnu.org-other-locations))
 
 (define %publish-url "http://localhost:3000")
 
 (define %berlin-servers
   (list
-   ;; Plain HTTP
+   ;; Redirect domains that don't explicitly support HTTP (below) to HTTPS.
+   (nginx-server-configuration
+    (listen '("80"))
+    (raw-content
+     (list "return 308 https://$host$request_uri;")))
+
+   ;; Domains that still explicitly support plain HTTP.
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("ci.guix.gnu.org"))
     (locations (berlin-locations %publish-url))
     (raw-content
      (list
       "access_log  /var/log/nginx/http.access.log;"
       "proxy_set_header X-Forwarded-Host $host;"
       "proxy_set_header X-Forwarded-Port $server_port;"
       "proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("bootstrappable.org"
                    "www.bootstrappable.org"))
@@ -829,64 +835,30 @@ PUBLISH-URL."
     (raw-content
      (list
       "access_log /var/log/nginx/bootstrappable.access.log;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("disarchive.guix.gnu.org"))
     (root "/gnu/disarchive")
     (raw-content
      ;; Tell nginx to always read 'FILE.gz' when asked for 'FILE', and to
      ;; gunzip it on the fly (because the client for this typically doesn't
      ;; properly support gzip encoding).
      (list "gzip_static always; gunzip on;\n"
            "access_log /var/log/nginx/disarchive.access.log;")))
 
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("guix.gnu.org"))
-    (root "/srv/guix.gnu.org")
-    (locations guix.gnu.org-locations)
-    (raw-content
-     (list
-      "add_header Content-Security-Policy \"frame-ancestors 'none'\";"
-
-      ;; TODO This works around NGinx using the epoch for the
-      ;; Last-Modified date, as well as the etag.
-      ;; See http://issues.guix.gnu.org/37207
-      "add_header Last-Modified \"\";"
-      "if_modified_since off;"
-      "etag off;"
-
-      "rewrite (.*)/$ $1/index.html;"
-      "access_log /var/log/nginx/guix-info.access.log;")))
-
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("issues.guix.gnu.org"))
-    (root "/home/rekado/mumi/")
-    (locations
-     (list (nginx-location-configuration ;certbot
-            (uri "/.well-known")
-            (body (list "root /var/www;")))
-           (nginx-location-configuration
-            (uri "/")
-            (body '("proxy_pass http://localhost:1234;")))))
-    (raw-content
-     (list
-      "access_log /var/log/nginx/issues-guix-info.access.log;")))
-
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("guixwl.org"
                    "www.guixwl.org"))
     (root "/home/rekado/gwl/")
     (locations
      (list (nginx-location-configuration ;certbot
             (uri "/.well-known")
             (body (list "root /var/www;")))
 
            (nginx-location-configuration
             (uri "/manual")
             (body (list "alias /srv/gwl-manual;")))
 
            ;; Pass requests to 'guix workflow --web-interface'.

base-commit: 9782bc16ef4384171c7b7381ad27a4b9ba60ca61
-- 
2.33.0





Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Wed, 03 Nov 2021 01:14:02 GMT) Full text and rfc822 format available.

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 37348 <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by
 default.
Date: Wed, 03 Nov 2021 02:06:31 +0100
[Message part 1 (text/plain, inline)]
Damn,

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> This is a conservative patch: it only redirects guix.gnu.org and
> issues.guix.gnu.org, the most (potential-)user-facing sites, to 
> HTTPS.
>
> CI should probably remain reachable over HTTP indefinitely.
>
> Subprojects like GWL, friends like Bootstrappable, and anything 
> else
> retain ‘user choice’, until they opt in.

The current situation is actually more horked than that:

 ~ λ curl -LI https://gnu.org
 HTTP/1.1 301 Moved Permanently
 […]
 Strict-Transport-Security: max-age=63072000; includeSubDomains; 
 preload

This is a great security policy!  It also announces to the modern 
world that *all* HTTP connections to *any* subdomain of gnu.org 
should be silently upgraded to HTTPS.

If your UA honours this header and has ever visited gnu.org, 
visiting http://ci.guix.gnu.org should not be possible.  It will 
immediately upgrade to HTTPS.  Certificate errors can no longer be 
bypassed.  guix.gnu.org cannot relax this policy.

Now, for some reason, current Firefox doesn't seem to do any of 
this (compatibility?) but it may only be a matter of time.

Kind regards,

T G-R
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Wed, 03 Nov 2021 01:14:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Wed, 03 Nov 2021 01:21:01 GMT) Full text and rfc822 format available.

Message #20 received at 37348 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 37348 <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by
 default.
Date: Wed, 03 Nov 2021 02:18:11 +0100
[Message part 1 (text/plain, inline)]
> Now, for some reason, current Firefox doesn't seem to do any of 
> this
> (compatibility?) but it may only be a matter of time.

Probably due to gnu.org wonkiness:

 ~ λ curl -LI https://www.gnu.org
 […]
 Strict-Transport-Security: max-age=63072000

I.e., missing includeSubDomains, and (at least my) browser's 
apparent urge to connect to www.gnu.org even when I type 
https://gnu.org.

We can't keep relying on this, though.

Kind regards,

T G-R
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Wed, 03 Nov 2021 01:22:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#37348; Package guix. (Fri, 19 Nov 2021 16:04:01 GMT) Full text and rfc822 format available.

Message #26 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 37348-done <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by
 default.
Date: Fri, 19 Nov 2021 17:03:24 +0100
[Message part 1 (text/plain, inline)]
Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> * hydra/nginx/berlin.scm (%berlin-servers): Add a default 
> port-80 server
> to redirect all requests to their HTTPS counterparts.  Remove 
> explicit
> HTTP support for guix.gnu.org and issues.guix.gnu.org.

Pushed as 4015696e45c2242a2e7221c4f43231db5581bda4.

Kind regards,

T G-R
[signature.asc (application/pgp-signature, inline)]

Reply sent to Tobias Geerinckx-Rice <me <at> tobias.gr>:
You have taken responsibility. (Fri, 19 Nov 2021 16:04:02 GMT) Full text and rfc822 format available.

Notification sent to "Collin J. Doering" <collin <at> rekahsoft.ca>:
bug acknowledged by developer. (Fri, 19 Nov 2021 16:04:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 18 Dec 2021 12:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 91 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.