The code behind http://www.bugzilla.org/ uses Template Toolkit, which means that we have to host it ourselves. The build system for including the docs in the website also requires various older Perls and so on which has proved historically troublesome. We've been meaning to move to something newer for a while, and Wordpress was mooted, but in recent Bugzilla meetings we proposed moving to Github Pages and Jekyll. I've now done that conversion, and the results can be seen here: https://bugzilla.github.io/ (Source: https://github.com/bugzilla/bugzilla.github.io/) After a bit of testing, we need to switch over to using this as the master copy. This bug tracks that work. If we didn't need HTTPS support, we could simply use Github Pages' built-in support for CNAME: https://help.github.com/articles/using-a-custom-domain-with-github-pages/ However, that doesn't support SSL, which we need for bugzilla.org. Fortunately, Cloudflare can be used to front the site to provide SSL: https://blog.cloudflare.com/secure-and-fast-github-pages-with-cloudflare/ https://hackernoon.com/set-up-ssl-on-github-pages-with-custom-domains-for-free-a576bdf51bc But that means letting Cloudflare run our DNS, which may have other ramifications because we have other servers as well. Gerv
justdave: can you comment on how difficult or easy it would be to switch our DNS to Cloudflare so we can use this solution? Gerv
DNS can be delegated on a hostname by hostname basis. The parent zone just needs an NS record for the hostname in question which points at cloudflare's servers. This would easily be doable.
justdave: is that true even if we want https://bugzilla.org/ to work? Gerv
No. However, https://bugzilla.org redirects to https://www.bugzilla.org, and we could certainly leave bugzilla.org where it is with the redirect intact, and just give cloudflare www.bugzilla.org.
If I'm right, doesn't that mean we'd need to keep maintaining a webserver and our own certificate, just to do the simple thing of serving a single redirect :-( That seems sad. Is there a way we can get cloudflare to do the DNS for the entire domain, and so avoid this? Or does that cause other problems? Gerv
The redirect is on Mozilla's webserver and not ours, and they've never given any kind of indication that they want to stop hosting that, so that should be fine to leave there.
OK, great! That's good news. I've added a CNAME file to the bugzilla.github.io repo, set up a Cloudflare account (username: firstname.lastname@example.org) and added bugzilla.org. (It didn't seem possible in their interface to only add www.bugzilla.org so I added the whole domain, and it copied all the other DNS records). I only turned Cloudflare on for www.bugzilla.org. The nameservers Cloudflare want us to use are: ivy.ns.cloudflare.com jay.ns.cloudflare.com So if we switch to using those, that should do the switchover! The instructions say: "It may take up to 24 hours after successfully changing name servers for a new SSL certificate pack to be issued for your site. If you need valid SSL certificates in place before sending traffic through Cloudflare, pause Cloudflare for your site by clicking on Advanced to the right and resume when your certificate pack has been issued." So we need to switch the nameservers, but then pause Cloudflare. So that involves a coordination between me and the person switching. Unless we are happy with a little bit of SSL downtime (they say 24 hours, but I bet they are a lot faster than that normally). Gerv
OK, I've got access to make that change on our end, find me on IRC or Slack when you're ready to do it.
I'm assuming there's going to be a confirmation to hostmaster sent to confirm creation of the SSL certificate. I also still get that email address, so we're set on that end, too.
Probably they'll use DNS-based validation for the SSL cert, so there won't be an email to hostmaster@. Gerv
DNS has been updated to point www.bugzilla.org at cloudflare's nameservers. bugzilla.org continues to point at Mozilla (which will do a redirect).
FYI I get a "Secure Connection Failed" error in Firefox trying to load www.bugzilla.org: An error occurred during a connection to www.bugzilla.org. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I've backed out the DNS change until Gerv is ready to try the rescan again in Cloudflare.
mcote: yeah, I got something like that when setting Cloudflare's nameservers directly as my nameserver on my machine. Not sure why that is, and Firefox is a little unhelpful in saying what cyphers were offered. I'll try and coordinate with Dave again. Gerv
I've emailed justdave all he needs to make this change solo. Gerv
Depends on: 1438282
This is now live!!! Woot!
Assignee: website → justdave
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.