Closed
Bug 1482947
Opened 6 years ago
Closed 6 years ago
Cloudflare: Please always redirect HTTP to HTTPS, enable HSTS + Preloading
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: jan, Unassigned)
References
Details
(Keywords: nightly-community, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/19/6936])
Attachments
(2 files)
https://www.hardenize.com/report/servo.org/1534180004#www_https
Problem:
1. https://www.servo.org/ redirects to http://servo.org/.
2. On Reddit, someone posted a link to HTTP://download.servo.org/nightly/android/servo-latest.apk.
Servo's download url can be only protected with HSTS Preloading (enforcing HTTPS with no excuse). That means adding servo.org to https://hstspreload.org/, so that it is included in every browser's source code.
Solution:
Please log in to Cloudflare and go to the Crypto page:
* Set "Always use HTTPS" to "on".
* Activate HSTS: On, 12 months, includeSubDomains, Preload, No sniff
* Minimum TLS version: TLS 1.2
Firefox supports TLS 1.2 with ECDHE-RSA-AES128-GCM-SHA256 since 2014 (Firefox 27,
bug 861266 + bug 937789).
Thank you <3
Comment 1•6 years ago
|
||
I don't know who handles this domain, but I don't think it is IT.
Reporter | ||
Comment 2•6 years ago
|
||
Someone from bug 1229517 might have login data or know more.
Updated•6 years ago
|
Flags: needinfo?(edunham)
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6830] → [kanban:https://webops.kanbanize.com/ctrl_board/19/6936]
Comment 3•6 years ago
|
||
Bulk reset of QA contacts in Infra and Ops bugs.
https://bugzilla.mozilla.org/show_bug.cgi?id=1495849
QA Contact: smani → cshields
Turns out I still did have access here.
I have made the requested changes and can delegate access to the credentials to someone on the ops team if you'd like to not have to go through me in the future.
CC-ing Lars: if things suddenly break that were working before, it's likely a result of these changes.
Flags: needinfo?(edunham) → needinfo?(larsberg)
Reporter | ||
Comment 5•6 years ago
|
||
https://www.hardenize.com/report/servo.org/1541006880#www_https
There is a permanent redirect from https://www.servo.org to http://servo.org. It should redirect to https://servo.org. Could you try to fix this as well? Thank you
Flags: needinfo?(edunham)
Reporter | ||
Comment 6•6 years ago
|
||
I haven't found other problems.
https://www.hardenize.com/report/servo.org#www_https = comment 5
https://www.hardenize.com/report/doc.servo.org + https://doc.servo.org = fine now
https://www.hardenize.com/report/blog.servo.org + https://blog.servo.org = fine now
https://www.hardenize.com/report/starters.servo.org + https://starters.servo.org = fine now
https://www.hardenize.com/report/download.servo.org#www_tls = okay. Cloudfront is not as modern as Cloudflare.
https://www.hardenize.com/report/build.servo.org#www_http = https://github.com/servo/saltfs/pull/906 should help. (Most clients, except web browsers, would ignore HSTS anyway.)
Reporter | ||
Comment 7•6 years ago
|
||
(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #5)
> https://www.hardenize.com/report/servo.org/1541006880#www_https There is a permanent redirect from https://www.servo.org to http://servo.org. It should redirect to https://servo.org. Could you try to fix this as well? Thank you
Just check if an existing Cloudflare Page Rule is responsible for this behavior, adjust it or otherwise create a new:
https://www.servo.org/*
Forwarding URL, 301 Permanent Redirect
https://servo.org/$1
Comment 8•6 years ago
|
||
Hi and thanks for all the tips! It's currently set up as a CNAME, I think? See attached image www.png. We are also out of page rules, but I've attached an image with what we have set up right now for review as pagerules.png. Thanks!
Flags: needinfo?(larsberg) → needinfo?(jan)
Comment 9•6 years ago
|
||
Comment 10•6 years ago
|
||
Reporter | ||
Comment 11•6 years ago
|
||
=== I. Redirect http to https ===
If "Always Use HTTPS" is enabled on the "Crypto" page of servo.org, you should be able to delete current three page rules (attachment 9022111 [details]). I will immediately retest with Hardenize afterwards.
Background: Cloudflare introduced the global "Always Use HTTPS" setting to make things easier and to save page rules. https://blog.cloudflare.com/how-to-make-your-site-https-only/
=== II. Redirect https://www.servo.org to https://servo.org ===
The CNAME record makes Cloudflare feel responsible for www.servo.org (the orange cloud icon), but requests don't need to be tunneled to GitHub: Cloudflare can directly do all redirects by page rule. Create this one:
https://www.servo.org/*
Forwarding URL, 301 Permanent Redirect
https://servo.org/$1
Flags: needinfo?(jan)
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(larsberg)
Comment 12•6 years ago
|
||
OK, I think I made the changes you've requested. Can you please re-run the scanner thing? Thanks!
Flags: needinfo?(larsberg) → needinfo?(jan)
Reporter | ||
Comment 13•6 years ago
|
||
Have you removed the CNAME record? The www subdomain is gone. The CNAME record should stay, but you additionally add the page rule. Everything else is fine.
Flags: needinfo?(jan)
Reporter | ||
Comment 14•6 years ago
|
||
Just go to the Cloudflare DNS page of servo.org and recreate the CNAME record for www pointing to servo.github.io (attachment 9022110 [details]).
Comment 15•6 years ago
|
||
Thanks! I think it's fixed now :-)
Reporter | ||
Comment 16•6 years ago
|
||
Yes, thank you! :)
Status: RESOLVED → VERIFIED
Flags: needinfo?(edunham)
You need to log in
before you can comment on or make changes to this bug.
Description
•