You can help CodeWalrus stay online by donating here. | New CodeWalrus | Old (dark mode) | Old (light) | Discord server

Killing HTTP support on CodeWalrus (site would become HTTPS-only)

b/Website Talk Started by Dream of Omnimaga, April 06, 2016, 11:49:19 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

« 1 ... 3 4 5
u/DarkestEx September 06, 2016, 11:01:17 PM
Quote from: Streetwalrus on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Then it must be HTTPS resources on the front page making it not work.
0
u/Yuki September 06, 2016, 11:17:21 PM
Quote from: DarkestEx on September 06, 2016, 11:01:17 PM
Quote from: Streetwalrus on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Then it must be HTTPS resources on the front page making it not work.
As I said.

And as I said, we got everything covered to offer you a potable experience on old browsers.
0
u/Dream of Omnimaga September 06, 2016, 11:52:32 PM
One issue with SMF plugins is that they sometimes require us to use absolute links rather than relative. I wish the URL tag allowed us to use relative links.
0
u/gameblabla December 05, 2016, 01:20:59 AM
img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.
0
u/Dream of Omnimaga December 05, 2016, 05:18:11 AM
To be honest, when we switched to LE I thought this would solve all our sub-domain cert issues. @Juju and @Streetwalrus should indeed fix this. Plus this would allow us to finally use SSL for the WalrusIRC smileys and other things.
0
u/novenary December 05, 2016, 05:40:35 AM
Quote from: gameblabla on December 05, 2016, 01:20:59 AM
img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.
Https is not enabled on that subdomain, I have no idea how this is happening.
Let's Encrypt can't fix anything, all it does is give us certs for free. We need to take care of things.

Edit: actually it's probably trying to serve the default subdomain, pretty sure that's the issue.
Last Edit: December 05, 2016, 05:43:03 AM by Ş̴̀t̵́́͜͝r͏͝é̷̢͝e̢̨̡̕͟t̢̀́͢͠w̕̕á̷̧ļ҉̸́̕r̶҉̵̴͞u͟͝҉ş̴̀ ̶͏
0
u/Dream of Omnimaga December 05, 2016, 05:49:12 AM
Ah that might explain it. I recall trying one of the sub-domain on https and it redirected to a Rick Astley pic.

I think we should enable https on all subdomains.
0
u/Yuki December 05, 2016, 06:04:00 AM
Ah yeah, HTTPS might not be enabled on all domains in the webserver's config, nothing to do with Let's Encrypt.
0
u/novenary December 05, 2016, 06:17:45 AM
It can, but it's effort. :P
Will look into it tonight.
0
u/Yuki December 05, 2016, 06:22:40 AM
Don't think it is a lot of effort.
0
u/novenary December 05, 2016, 06:24:09 AM
Yeah, just need a little bit of setup, shouldn't be hard at all.
Would be cool if nginx supported variables/macros in the config so we could just add an include line and add the domain to acmetool, and boom, https.
0
u/Yuki December 05, 2016, 06:29:27 AM
Ah yeah, that would be fun. I think nginx supports variables. Probably.

The best would be to renew the certs directly in the config and I think it's possible.
0
u/novenary December 05, 2016, 06:33:24 AM
I already have this thing set up, you just tell it that you want certs for a given subdomain and it will check and renew them on a cronjob.
The only problem is the nginx config, lots of copy-pasta. Also our current config is a bit messy. :P
0
u/gameblabla January 21, 2018, 12:45:23 AM
Bump.
More and more browsers are now complaining about insecure connections.
And while codewalr.us does support HTTPS, there are some issues :
- The fact on the frontpage, some images uses http: rather than https:. Should be fairly trivial to fix.
- Cookies do not use the HttpOnly and Secure flags. Should be done for security

I believe it should be made HTTPS-only because even on older operating systems like NT 4.0, it is possible to visit secure websites with TLS 1.0 and all.
As for browsers that do not support HTTPS, i honestly doubt they can support codewalr.us properly anyway.
Preferably, codewalrus should also support CSP, here are the csp settings i use for my website.

Code Select

Header always set Content-Security-Policy "default-src 'none' ; base-uri 'none';
frame-ancestors 'none'; form-action 'none';
font-src 'self'; child-src 'none'; script-src 'self'; object-src 'none';
connect-src 'none'; style-src 'self'; img-src 'self';"


Of course, since codewalrus supports scripting, you should tweak them according to your needs.

You can use the observatory by Mozilla for more info :
https://observatory.mozilla.org
0
« 1 ... 3 4 5
Website statistics


MyCalcs | Ticalc.org | Cemetech | Omnimaga | TI-Basic Developer | MaxCoderz | TI-Story | Casiocalc.org | Casiopeia | The Museum of HP Calculators | HPCalc.org | CnCalc.org | Music 2000 Community | TI Education | Casio Education | HP Calcs | NumWorks | SwissMicros | Sharp Calculators
Powered by EzPortal