Closed Bug 1431892 Opened 7 years ago Closed 1 year ago

Redirect http://ftp.mozilla.org and http://releases.mozilla.org/ to HTTPS

Categories

(Cloud Services :: Operations: Product Delivery, task)

Product:
Cloud Services
Component:
Operations: Product Delivery
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: 08xjcec48, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20180103231032 Steps to reproduce: http://ftp.mozilla.org/ should redirect to https://ftp.mozilla.org/
If you can't just redirect to https, please set up HSTS + a CSP with upgrade-insecure-requests.
Assignee: mitchell → nobody
Status: UNCONFIRMED → NEW
Component: Miscellaneous → Operations: Product Delivery
Ever confirmed: true
Product: mozilla.org → Cloud Services
QA Contact: oremj
See Also: → 1445702
Assignee: nobody → oremj
Depends on: 1444399
Assignee: oremj → nobody
See Also: 1445702
Severity: normal → --
Summary: Force https for https://ftp.mozilla.org → Redirect http://ftp.mozilla.org and http://releases.mozilla.org/ to HTTPS

Hey, Sylvestre. You closed Bug 1436695 4 years ago, but these two subdomains are still accessible over HTTP:

Flags: needinfo?(sledru)

(In reply to 08xjcec48 from comment #3)

Hey, Sylvestre. You closed Bug 1436695 4 years ago, but these two subdomains are still accessible over HTTP:

Interestingly, Firefox forces them to be https, but I can reproduce this with curl and telnet:

❯ telnet ftp.mozilla.org 80
Trying 34.117.35.28...
Connected to ftp.mozilla.org.
Escape character is '^]'.
GET /
HTTP/1.0 200 OK
Server: nginx
Date: Mon, 19 Jun 2023 13:31:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1238
ETag: fb935b2435681acec2d1a5731f8b1de2463df49e8deb02975bdbc80c5a20b3e4
Vary: Accept,Accept-Encoding
Expires: Mon, 19 Jun 2023 13:41:36 GMT
Cache-Control: max-age=600
Strict-Transport-Security: max-age=31536000
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Via: 1.1 google, 1.1 google

<!DOCTYPE html>
<html>
        <head>
                <meta charset="UTF-8">
                <title>Directory Listing: /</title>
        </head>
        <body>
                <h1>Index of /</h1>
                <table>
                        <tr>
                                <th>Type</th>
                                <th>Name</th>
                                <th>Size</th>
                                <th>Last Modified</th>
                        </tr>
                        
                        
                        <tr>
                                <td>Dir</td>
                                <td><a href="/pub/">pub/</a></td>
                                <td></td>
                                <td></td>
                        </tr>
                        
                        
                        
                        <tr>
                                <td>File</td>
                                <td><a href="/favicon.ico">favicon.ico</a></td>
                                <td>304</td>
                                <td>13-Feb-2023 04:21</td>
                        </tr>
                        
                        
                </table>
        </body>
</html>Connection closed by foreign host.

I'm asking our SRE folks about this.

Asked around about this - it looks like it's intentional.

Interestingly, Firefox forces them to be https

I believe that's because you've enabled HTTPS-Only Mode.

(In reply to 08xjcec48 from comment #6)

Interestingly, Firefox forces them to be https

I believe that's because you've enabled HTTPS-Only Mode.

Hah, of course. In any case - this behaviour is intentional for now, as evidence by the current behaviour and this bug still being open. The metabug being closed doesn't change that. Sorry for all the back and forth and confusion...

I think it is by design.
We don't want to break tools that are relying on HTTP and might break with redirection to HTTPS.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(sledru)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.