Closed Bug 1238112 Opened 8 years ago Closed 8 years ago

TaskCluster hosts serving content over HTTP - switch to cloudfront

Categories

(Taskcluster :: General, defect)

Product:
Taskcluster
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: claudijd, Unassigned)

References

Details

The following TaskCluster hosts are being served over HTTP.  With something so new an awesome as TaskCluster, we'd like to model good practices and use HTTPS for all hosts.  This will allow us to pay down the debt of having to convert these later when it's not as fresh when we make an effort to make all Mozilla content served over HTTPS.

Hosts serving content over HTTP:

http://docs.taskcluster.net/
http://references.taskcluster.net/
http://schemas.taskcluster.net/
docs is served by github, and references and schemas are both S3 buckets.

To my knowledge, there's no way to configure either of those things with a certificate.

This is really only problematic for docs, which contains in-browser runnable code and can be given taskcluster credentials.  Maybe it's time for docs to become a service?
Actually, that's not entirely fair -- we're depending on references and (to a lesser extent) schemas to provide reliable information about how service should interact.  MITM'ing that could potentially lead to a compromise.

We can't even fix these by using the amazon * cert:
  https://references.taskcluster.net.s3-us-west-2.amazonaws.com/
because the * doesn't cover additional dots.
Looks like S3 buckets can serve content over HTTPS (https://docs.taskcluster.net/). Not sure whether you can configure the cert for S3 or GitHub.
We can route all of this through cloudfront where we already have the HTTPS certificate anyways.

We absolutely should do that. We already have such a setup for tools.taskcluster.net.
Summary: TaskCluster hosts serving content over HTTP → TaskCluster hosts serving content over HTTP - switch to cloudfront
After reading up on this and getting some guidance from my peers, sounds like the only way to do SSL/TLS custom domain support for either S3/GitHub would be to go through an intermediary, like CloudFront - S3 / CloudFlare - GitHub.  The other option would be to host the content ourselves.
bug 1091780: docs is now moved.
bug 1269740: schemas/references turned out to be hard!
bug 1270132: and it turns out that cloudfront doesn't really help, as we're still doing http on the backend
Depends on: 1091780, 1269740
I got those backward:

bug 1269740: docs is now moved.
bug 1091780: schemas/references turned out to be hard!
bug 1270132: and it turns out that cloudfront doesn't really help, as we're still doing http on the backend
These are now serving from https.. it's just that we're using old URLs in production (but not in docs)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.