Closed Bug 1482947 Opened 6 years ago Closed 6 years ago

Cloudflare: Please always redirect HTTP to HTTPS, enable HSTS + Preloading

Categories

(Infrastructure & Operations :: SSL Certificates, task)

task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: jan, Unassigned)

References

Details

(Keywords: nightly-community, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/19/6936])

Attachments

(2 files)

https://www.hardenize.com/report/servo.org/1534180004#www_https Problem: 1. https://www.servo.org/ redirects to http://servo.org/. 2. On Reddit, someone posted a link to HTTP://download.servo.org/nightly/android/servo-latest.apk. Servo's download url can be only protected with HSTS Preloading (enforcing HTTPS with no excuse). That means adding servo.org to https://hstspreload.org/, so that it is included in every browser's source code. Solution: Please log in to Cloudflare and go to the Crypto page: * Set "Always use HTTPS" to "on". * Activate HSTS: On, 12 months, includeSubDomains, Preload, No sniff * Minimum TLS version: TLS 1.2 Firefox supports TLS 1.2 with ECDHE-RSA-AES128-GCM-SHA256 since 2014 (Firefox 27, bug 861266 + bug 937789). Thank you <3
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6830]
I don't know who handles this domain, but I don't think it is IT.
Someone from bug 1229517 might have login data or know more.
Flags: needinfo?(edunham)
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6830] → [kanban:https://webops.kanbanize.com/ctrl_board/19/6936]
Bulk reset of QA contacts in Infra and Ops bugs. https://bugzilla.mozilla.org/show_bug.cgi?id=1495849
QA Contact: smani → cshields
Turns out I still did have access here. I have made the requested changes and can delegate access to the credentials to someone on the ops team if you'd like to not have to go through me in the future. CC-ing Lars: if things suddenly break that were working before, it's likely a result of these changes.
Flags: needinfo?(edunham) → needinfo?(larsberg)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
https://www.hardenize.com/report/servo.org/1541006880#www_https There is a permanent redirect from https://www.servo.org to http://servo.org. It should redirect to https://servo.org. Could you try to fix this as well? Thank you
Flags: needinfo?(edunham)
(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #5) > https://www.hardenize.com/report/servo.org/1541006880#www_https There is a permanent redirect from https://www.servo.org to http://servo.org. It should redirect to https://servo.org. Could you try to fix this as well? Thank you Just check if an existing Cloudflare Page Rule is responsible for this behavior, adjust it or otherwise create a new: https://www.servo.org/* Forwarding URL, 301 Permanent Redirect https://servo.org/$1
Hi and thanks for all the tips! It's currently set up as a CNAME, I think? See attached image www.png. We are also out of page rules, but I've attached an image with what we have set up right now for review as pagerules.png. Thanks!
Flags: needinfo?(larsberg) → needinfo?(jan)
Attached image www.png
=== I. Redirect http to https === If "Always Use HTTPS" is enabled on the "Crypto" page of servo.org, you should be able to delete current three page rules (attachment 9022111 [details]). I will immediately retest with Hardenize afterwards. Background: Cloudflare introduced the global "Always Use HTTPS" setting to make things easier and to save page rules. https://blog.cloudflare.com/how-to-make-your-site-https-only/ === II. Redirect https://www.servo.org to https://servo.org === The CNAME record makes Cloudflare feel responsible for www.servo.org (the orange cloud icon), but requests don't need to be tunneled to GitHub: Cloudflare can directly do all redirects by page rule. Create this one: https://www.servo.org/* Forwarding URL, 301 Permanent Redirect https://servo.org/$1
Flags: needinfo?(jan)
Flags: needinfo?(larsberg)
OK, I think I made the changes you've requested. Can you please re-run the scanner thing? Thanks!
Flags: needinfo?(larsberg) → needinfo?(jan)
Have you removed the CNAME record? The www subdomain is gone. The CNAME record should stay, but you additionally add the page rule. Everything else is fine.
Flags: needinfo?(jan)
Just go to the Cloudflare DNS page of servo.org and recreate the CNAME record for www pointing to servo.github.io (attachment 9022110 [details]).
Thanks! I think it's fixed now :-)
Yes, thank you! :)
Status: RESOLVED → VERIFIED
Flags: needinfo?(edunham)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: