Closed
Bug 1116221
Opened 10 years ago
Closed 10 years ago
HTTPS for www.bugzilla.org
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sjw+bugzilla, Assigned: Atoll)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/103] )
Attachments
(1 file)
bugzilla.org should be moved to https. There are a lot of important information and download-links that could be attacked.
|
||
Comment 1•10 years ago
|
||
Agreed, this would be a good idea. We're in the process of moving the site to a different set of servers at the moment (probably take a month or two) - not sure of logistics on whether it'd be possible to do this before moving without having to redo the certificates after we move....
|
||
Comment 2•10 years ago
|
||
I agree, this seems like a reasonable idea. It's all done, but waiting on a bit of propagation. Should be visible within an hour. :)
Assignee: server-ops-webops → nmaul
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Certificate is only valid for www. and lists., but not for 'bugzilla.org'.
planet.bugzilla.org is not reachable over https at all.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 4•10 years ago
|
||
bugzilla.org (without the www.) is hosted on the same server as lists.bugzilla.org, which is on a different server than www.bugzilla.org and has a separate cert which is only valid for lists.bugzilla.org. Probably the best fix here (best handled on bug 1116365) is to have the ajax calls on the consulting page hit lists.bugzilla.org instead of bugzilla.org (since that's the server it's on and the end user never sees it so the domain doesn't really matter), and then put bugzilla.org on the static-redirect plan (with an SSL cert). bugzilla.org winding up on the same server with lists.bugzilla.org happened before lists.bugzilla.org existed as a separate domain name, and that domain name got spun off because of the SSL cert for the list manager.
|
|
||
Comment 5•10 years ago
|
||
I should clarify... bugzilla.org being separate from www.bugzilla.org happened because of the cgi scripts for the vendor database and the list manager (because we couldn't put those in static cluster with the rest of the website when it moved there). Hindsight being 20/20 it was silly to do that and we should have made a separate domain name for that when it happened instead of co-opting bugzilla.org without the www, but what's done is done. :|
|
|
||
Comment 6•10 years ago
|
||
Jake: bug 1116365 is now fixed, here's what's left to finish this off correctly:
1) change http://www.bugzilla.org/ to include http://bugzilla.org/ as a virtual host and redirect both to https://www.bugzilla.org/
2) The SSL cert handling the redirect for https://bugzilla.org/ needs to support that domain (the current one on https://www.bugzilla.org/ does not)
3) DNS for bugzilla.org itself needs to be updated to point at the static web cluster (or wherever the redirect is being handled). NOTE: This needs to be an A record. You cannot CNAME this because there is an MX record which cannot coexist with a CNAME.
|
|
||
Comment 7•10 years ago
|
||
1a) https://bugzilla.org/ needs to redirect to https://www.bugzilla.org/ , too.
|
||
Comment 8•10 years ago
|
||
Also, HSTS please (with the preload option)! :)
|
|
||
Comment 9•10 years ago
|
||
To make some clarifications from comment 6:
- All of the special-case stuff about bugzilla.org is GONE. You can now safely blanket-redirect everything on bugzilla.org to www.bugzilla.org
- www.bugzilla.org does not need to do anything special with cgi-bin - cgi-bin can 404 for all I care. All of the cgi-bin stuff moved to lists.bugzilla.org and all of the links point there.
|
Assignee | |
Comment 10•10 years ago
|
||
(In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #6)
> Jake: bug 1116365 is now fixed, here's what's left to finish this off
> correctly:
>
> 1) change http://www.bugzilla.org/ to include http://bugzilla.org/ as a
> virtual host and redirect both to https://www.bugzilla.org/
(In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #9)
> To make some clarifications from comment 6:
>
> - All of the special-case stuff about bugzilla.org is GONE. You can now
> safely blanket-redirect everything on bugzilla.org to www.bugzilla.org
> - www.bugzilla.org does not need to do anything special with cgi-bin -
> cgi-bin can 404 for all I care. All of the cgi-bin stuff moved to
> lists.bugzilla.org and all of the links point there.
I talked with Dave for a while and we ended up with this replacement www.bugzilla.org.conf, that implements the above #1 and associated notes. It presumes that both www.bugzilla.org and bugzilla.org are serving an SSL certificate with CN+AltNames for those two domains.
I didn't know if this was the right time to use [R=301,L] or similar, so deferring to Jake for that.
Attachment #8572038 -
Flags: review?(nmaul)
|
|
Assignee | |
Comment 11•10 years ago
|
||
Jake affirms [R=301,L] and I have the replacement SAN certificate that includes bugzilla.org alongside www.bugzilla.org, so we can proceed with this.
Assignee: nmaul → rsoderberg
|
|
||
Comment 12•10 years ago
|
||
FWIW, mailman4 (which hosted bugzilla.org without the www) is now gone, so that domain name is no longer functional until this bug is fixed.
|
|
||
Comment 13•10 years ago
|
||
dave@Dave-Millers-MacBook-Pro:~ $ telnet 63.245.217.20 80
Trying 63.245.217.20...
Connected to static.zlb.phx.mozilla.net.
Escape character is '^]'.
GET / HTTP/1.1
Host: bugzilla.org
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: pp-web04
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 25 Mar 2015 21:58:53 GMT
Location: http://www.bugzilla.org/
X-Cache-Info: not cacheable; response is 302 without expiry time
Content-Length: 208
Looks like the webserver is already configured for the redirect (although it's an unnecessary double-redirect since www.bugzilla.org then redirects to the https version).
I changed the bugzilla.org DNS to point at the static cluster.
X509v3 Subject Alternative Name:
DNS:static-san.mozilla.org, DNS:addons.mozilla.com, DNS:autoconfig-live.mozillamessaging.com, DNS:autoconfig.thunderbird.net, DNS:broker-live.mozillamessaging.com, DNS:live.mozillamessaging.com, DNS:live.thunderbird.net, DNS:nightly.mozilla.org, DNS:getfirefox.com, DNS:www.getfirefox.com, DNS:opensearch-live.mozillamessaging.com, DNS:dnt.mozilla.org, DNS:support.live.mozillamessaging.com, DNS:firefox.com, DNS:www.firefox.com, DNS:gaming.mozillalabs.com, DNS:apps.mozillalabs.com, DNS:webmaker.mozillalabs.com, DNS:support.mozillamessaging.com, DNS:heatmap.mozillalabs.com, DNS:videos-cdn.mozilla.net, DNS:videos.mozilla.org, DNS:planet.mozilla.org, DNS:publicsuffix.org, DNS:www.publicsuffix.org, DNS:static.mozilla.com, DNS:mozilla.com, DNS:www.mozilla.com, DNS:activations.mozilla.com, DNS:activations.mozilla.org, DNS:firefoxflicks.com, DNS:www.firefoxflicks.com, DNS:aurora.mozilla.org, DNS:beta.mozilla.org, DNS:pontoon.mozillalabs.com, DNS:sso.mozilla.com, DNS:openstandard.tv, DNS:openstandard.org, DNS:openstandard.com, DNS:theopenstandard.org, DNS:theopenstandard.net, DNS:www.openstandard.tv, DNS:www.openstandard.org, DNS:www.openstandard.com, DNS:www.theopenstandard.org, DNS:www.theopenstandard.net, DNS:contribute.mozilla.org, DNS:gameon.mozilla.org, DNS:www.bugzilla.org, DNS:crash-stats.mozilla.org, DNS:shapeoftheweb.mozilla.org, DNS:shapeoftheweb.com, DNS:shapeoftheweb.org
I don't see DNS:bugzilla.org in there yet, which means the certificate hostname will still mismatch, but that's the same shape we were in before.
|
|
Assignee | |
Comment 14•10 years ago
|
||
I uploaded the most recent static-san.m.o cert into the PHX1 Zeus and updated the static cluster to use it, which fixed the SSL issue.
I updated the httpd config and the expected redirects are now in place:
$ curl -I http://bugzilla.org/foo
$ curl -I http://www.bugzilla.org/foo
$ curl -I https://bugzilla.org/foo
302 Found
Location: https://www.bugzilla.org/foo
However, this redirect is not working from my home computer:
$ curl -I http://www.bugzilla.org/foo
200 OK
But it works from the pp-web heads:
$ curl -sIH 'Host: www.bugzilla.org' http://localhost:80/ | grep ^Location
302 Found
Location: https://www.bugzilla.org/
And that turns out to be caching-related:
$ curl -I http://www.bugzilla.org/
X-Cache-Info: cached
I cleared the cache for the root page and for favicon.ico, and verified that they now redirect correctly, and then cleared the remaining cached entries for HTTP www.bugzilla.org (but not HTTPS).
:justdave, you should be all set to go here. Let me know if any issues crop up.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Attachment #8572038 -
Flags: review?(nmaul) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•