Project

General

Profile

Enhancement #572

HTTPS for All

Added by Marc Dequènes about 1 year ago. Updated 2 months ago.

Status:
Resolved
Priority:
High
Category:
Service :: Web
Start date:
2017-06-25
Due date:
% Done:

100%

Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

For security reasons (some sites may have auth, like user-managed sites), and privacy reasons, all websites should have a redirect to HTTPS. We should also activate HSTS (but this would be handled in #571)

These sites do not have TLS at all:

./andesi/dpt.andesi.org
./andesi/guide.andesi.org
./arnau/photos.mini-dweeb.org
./arnau/wotomae.debian.net
./arnau/www.mini-dweeb.org
./clawfire/www.clawfire.net
./damien/alt.oxmoz.eu
./damien/debian.fensalir.fr
./damien/dleone.fensalir.fr
./damien/www.aldaaron.fr
./damien/www.fensalir.fr
./duck/cdbs-doc.duckcorp.org
./duckcorp/ca.duckcorp.org
./duckcorp/coin-diff.duckcorp.org
./duckcorp/dico.duckcorp.org
./duckcorp/doc.duckcorp.org
./duckcorp/photos-ng.duckcorp.org
./duckcorp/smokeping.duckcorp.org
./duck/jdr.duckcorp.org
./finger/mushdoom.lespotos.com
./finger/pyro.lespotos.com
./finger/www.clan-hnk.com
./finger/www.lespotos.com
./georgesleyeti/albums.georgesleyeti.fr
./georgesleyeti/www.georgesleyeti.fr
./georgesleyeti/www.xn--mah-dma.net
./gorou/forum.tetramorphe.org
./gorou/wiki.tetramorphe.org
./guihome/2heurespourtuer.ath.cx
./guihome/archives-clap.guihome.net
./guihome/archives.guihome.net
./guihome/photos.guihome.net
./guihome/video.guihome.net
./guihome/webcam.guihome.net
./guihome/www.collectioneuro.eu
./happypeng/live.happypeng.org
./happypeng/midtalk.happypeng.org
./happypeng/nihon.happypeng.org
./hurdfr/perso.hurdfr.org
./hurdfr/wiki.hurdfr.org
./hurdfr/www.hurdfr.org
./laura/www.laurafontaine.fr
./milkypond/tribioune.milkypond.org
./pikachu/photos.audrey-et-arnaud.org
./pikachu/www.audrey-et-arnaud.org
./valfor/mariage-cecile-yann.duckcorp.org
./xaiki/www.evilgiggle.com

Some may not be activated but these are the most affected.

Also some site may support TLS but not redirect to it, and we should spot them too.

We could also make the config more similar. I was thinking about using the httpd OSAS role but important changes are not merged and several others would be needed. We could at the moment borrow these lines to replace the RedirectMatch:

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}

It seems it would be treated as an external redirect automagically but using a temporary redirect. So maybe adding [R=permanent] flag would be better. I did not test it yet.


Related issues

Related to DuckCorp Infrastructure - Enhancement #571: Secure HTTP settings Resolved 2017-06-25
Related to DuckCorp Infrastructure - Enhancement #599: Use letsencrypt for public-facing websites… maybe more Resolved 2017-09-26

History

#1 Updated by Marc Dequènes about 1 year ago

  • Category set to Service :: Web
  • Assignee set to DC Admins
  • Priority changed from Normal to High
  • Security set to Yes

#2 Updated by Marc Dequènes about 1 year ago

#3 Updated by Marc Dequènes 11 months ago

  • Assignee deleted (DC Admins)

#4 Updated by Marc Dequènes 11 months ago

  • Related to Enhancement #599: Use letsencrypt for public-facing websites… maybe more added

#5 Updated by Marc Dequènes 11 months ago

  • Status changed from New to In Progress
  • Assignee set to Marc Dequènes

dico.duckcorp.org lacked HTTPS, so it is done with Let's Encrypt now.

#6 Updated by Marc Dequènes 11 months ago

New list after cleanup (#568):

sites-available/milkypond/tribioune.milkypond.org
sites-available/duck/jdr.duckcorp.org
sites-available/duck/cdbs-doc.duckcorp.org
sites-available/georgesleyeti/www.xn--mah-dma.net
sites-available/georgesleyeti/albums.georgesleyeti.fr
sites-available/georgesleyeti/www.georgesleyeti.fr
sites-available/happypeng/nihon.happypeng.org
sites-available/happypeng/midtalk.happypeng.org
sites-available/duckcorp/ca.duckcorp.org
sites-available/duckcorp/smokeping.duckcorp.org
sites-available/duckcorp/photos-ng.duckcorp.org
sites-available/duckcorp/doc.duckcorp.org
sites-available/arnau/www.mini-dweeb.org
sites-available/guihome/www.collectioneuro.eu
sites-available/guihome/webcam.guihome.net
sites-available/guihome/2heurespourtuer.ath.cx
sites-available/guihome/video.guihome.net
sites-available/guihome/photos.guihome.net
sites-available/guihome/archives-clap.guihome.net
sites-available/guihome/archives.guihome.net
sites-available/laura/www.laurafontaine.fr

#7 Updated by Marc Dequènes 3 months ago

  • % Done changed from 0 to 90
New list after several sites where fixed:
  • on Toushirou:
    0_duckcorp/doc.duckcorp.org
    guihome/www.collectioneuro.eu
    guihome/2heurespourtuer.ath.cx
    laura/www.laurafontaine.fr   (to be removed soon)
    
  • on Orfeo:
    0_duckcorp/ntp.duckcorp.org
    

#8 Updated by Marc Dequènes 3 months ago

On Thorfinn, `static.perso.duckcorp.org` is missing the redirect.

#9 Updated by Marc Dequènes 3 months ago

Remains:
  • doc.duckcorp.org
  • static.perso.duckcorp.org

#10 Updated by Marc Dequènes 2 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF