Add a redirection for the HTTP endpoint for api.profiler.firefox.com
Categories
(Cloud Services :: Operations: Firefox Profiler, task)
Tracking
(Not tracked)
People
(Reporter: julienw, Assigned: oremj)
Details
This came from running api.profiler.firefox.com through mozilla observatory:
http://api.profiler.firefox.com redirects to https://prod.firefoxprofiler.prod.cloudops.mozgcp.net//
. But following the checklist in https://infosec.mozilla.org/guidelines/web_security we shouldn't fix the redirection, and instead just disable the http endpoint, because we run an API service.
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Reporter | ||
Comment 2•4 years ago
|
||
hey Jeremy,
Thanks for looking at this!
I see that http://api.profiler.firefox.com still answers, returning an error. Is it possible to completely remove the listener on the port 80?
Otherwise we need to add the 301 (or 308) redirection to https://api.profiler.firefox.com for Mozilla Observatory to give back the 20 points.
Thanks!
Assignee | ||
Comment 3•4 years ago
|
||
Looks like it is not possible to completely disable port 80 on the GLB.
Reporter | ||
Comment 4•4 years ago
|
||
Ok, thanks for checking!
In this case I reopen so that we have a redirection http -> https in place. But the redirection needs to be to https://api.profiler.firefox.com/<path>
, not https://prod.firefoxprofiler.prod.cloudops.mozgcp.net/<path>
like before.
curl -I http://api.profiler.firefox.com/
should redirect to https://api.profiler.firefox.com/
curl -I http://api.profiler.firefox.com/__version__
should redirect to https://api.profiler.firefox.com/__version__
.
Thanks!
Reporter | ||
Updated•4 years ago
|
Comment 5•4 years ago
•
|
||
(I'm just a contributing Nighly user.)
Moz Observatory is just gamification. It's wasted time to setup a redirect from http to https of an API endpoint to which you never want to connect insecurely. In worst case you connect via http by mistake and don't notice then.
We have elephants in the room:
- Enable DNS tampering protection: bug 1629834 (https://dnsviz.net/d/mozilla.org/dnssec/ is properly secured while https://dnsviz.net/d/api.profiler.firefox.com/dnssec/ is not)
- Be accessible via IP (and not only via legacy IP): https://bugzilla.mozilla.org/buglist.cgi?quicksearch=%5Bipv6%5D&list_id=15267901
- Please disable TLS 1.0 and 1.1: bug 1638023. https://www.hardenize.com/report/api.profiler.firefox.com/1590584418#www_tls
For TLS 1.2, only allow ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256 and Chacha.
ECDHE-RSA-AES128-GCM-SHA256 is supported since bug 934663 comment 14 (Firefox 27+ from 2013).
Reporter | ||
Comment 6•4 years ago
|
||
Thanks for the message!
yes observatory is gamification but it's just easier (and I'd say safer) to blindly always follow what they report rather than decide if it's important service by service.
Note that ipv6 for the profiler server is bug 1639124, awaiting some change in a dependency.
Thanks for the DNSSec check, I'll file a separate bug.
Reporter | ||
Comment 7•4 years ago
|
||
BTW, it's not only recommended by Mozilla Observatory but also our infosec team, including for API endpoints:
https://infosec.mozilla.org/guidelines/web_security
Probably keeping the HTTP endpoint with a 404 is good enough, but could be misleading. Better do the right thing!
Comment 8•4 years ago
•
|
||
It recommends that APIs do not offer anything on port 80:
"APIs or websites not intended for public consumption should disable the use of HTTP entirely."
is (IMHO) more important than
"Sites that listen on port 80 should only redirect to the same resource on HTTPS."
but I can understand the desire to remove this disturbing Google error page.
Assignee | ||
Comment 9•4 years ago
|
||
All set.
Reporter | ||
Comment 10•4 years ago
|
||
hey Jeremy, thanks!
I noticed that there's a small discrepency:
Sometimes:
$ curl -I http://api.profiler.firefox.com/
HTTP/1.1 302 Moved Temporarily
...
Location: https://api.profiler.firefox.com/
...
which is OK,
but sometimes this is what I get:
$ curl -I http://api.profiler.firefox.com/
HTTP/1.1 302 Moved Temporarily
...
Location: https://api.profiler.firefox.com//
...
This wouldn't be a big deal normally but our server is sensitive to this difference. This happens for others too like http://api.profiler.firefox.com/__version__. Maybe you left a final /
in one of the redirections.
Could you please have a last look?
Assignee | ||
Comment 11•4 years ago
|
||
Looks like one of the iprepd nginx instances didn't pick up a fix in the nginx config. This should be fixed now.
Reporter | ||
Comment 12•4 years ago
|
||
It looks like it is, thanks a lot!
Description
•