Closed Bug 1638041 Opened 4 years ago Closed 4 years ago

Add a redirection for the HTTP endpoint for api.profiler.firefox.com

Categories

(Cloud Services :: Operations: Firefox Profiler, task)

Product:
Cloud Services
Component:
Operations: Firefox Profiler
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: julienw, Assigned: oremj)

Details

This came from running api.profiler.firefox.com through mozilla observatory:

http://api.profiler.firefox.com redirects to https://prod.firefoxprofiler.prod.cloudops.mozgcp.net//. But following the checklist in https://infosec.mozilla.org/guidelines/web_security we shouldn't fix the redirection, and instead just disable the http endpoint, because we run an API service.

Assignee: edunham → oremj
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

hey Jeremy,
Thanks for looking at this!

I see that http://api.profiler.firefox.com still answers, returning an error. Is it possible to completely remove the listener on the port 80?
Otherwise we need to add the 301 (or 308) redirection to https://api.profiler.firefox.com for Mozilla Observatory to give back the 20 points.

Thanks!

Flags: needinfo?(oremj)

Looks like it is not possible to completely disable port 80 on the GLB.

Flags: needinfo?(oremj)

Ok, thanks for checking!
In this case I reopen so that we have a redirection http -> https in place. But the redirection needs to be to https://api.profiler.firefox.com/<path>, not https://prod.firefoxprofiler.prod.cloudops.mozgcp.net/<path> like before.

curl -I http://api.profiler.firefox.com/ should redirect to https://api.profiler.firefox.com/

curl -I http://api.profiler.firefox.com/__version__ should redirect to https://api.profiler.firefox.com/__version__.

Thanks!

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: Remove the HTTP endpoint for api.profiler.firefox.com → Add a redirection for the HTTP endpoint for api.profiler.firefox.com

(I'm just a contributing Nighly user.)
Moz Observatory is just gamification. It's wasted time to setup a redirect from http to https of an API endpoint to which you never want to connect insecurely. In worst case you connect via http by mistake and don't notice then.

We have elephants in the room:

Thanks for the message!
yes observatory is gamification but it's just easier (and I'd say safer) to blindly always follow what they report rather than decide if it's important service by service.

Note that ipv6 for the profiler server is bug 1639124, awaiting some change in a dependency.

Thanks for the DNSSec check, I'll file a separate bug.

BTW, it's not only recommended by Mozilla Observatory but also our infosec team, including for API endpoints:
https://infosec.mozilla.org/guidelines/web_security

Probably keeping the HTTP endpoint with a 404 is good enough, but could be misleading. Better do the right thing!

It recommends that APIs do not offer anything on port 80:
"APIs or websites not intended for public consumption should disable the use of HTTP entirely."
is (IMHO) more important than
"Sites that listen on port 80 should only redirect to the same resource on HTTPS."
but I can understand the desire to remove this disturbing Google error page.

All set.

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED

hey Jeremy, thanks!

I noticed that there's a small discrepency:

Sometimes:

$ curl -I http://api.profiler.firefox.com/
HTTP/1.1 302 Moved Temporarily
...
Location: https://api.profiler.firefox.com/
...

which is OK,
but sometimes this is what I get:

$ curl -I http://api.profiler.firefox.com/
HTTP/1.1 302 Moved Temporarily
...
Location: https://api.profiler.firefox.com//
...

This wouldn't be a big deal normally but our server is sensitive to this difference. This happens for others too like http://api.profiler.firefox.com/__version__. Maybe you left a final / in one of the redirections.

Could you please have a last look?

Flags: needinfo?(oremj)

Looks like one of the iprepd nginx instances didn't pick up a fix in the nginx config. This should be fixed now.

Flags: needinfo?(oremj)

It looks like it is, thanks a lot!

You need to log in before you can comment on or make changes to this bug.