Alternatively, join us on Discord.

Killing HTTP support on CodeWalrus (site would become HTTPS-only)

Started by DJ Omnimaga, April 06, 2016, 11:49:19 pm

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Should we kill HTTP access support on CW and make the site HTTPS-only for security?

Yes
18 (85.7%)
No
3 (14.3%)

Total Members Voted: 21

DarkestEx

Quote from: Streetwalrus on September 06, 2016, 11:00:34 pm
As juju said, regular http works for browsers that don't support modern crypto.

Then it must be HTTPS resources on the front page making it not work.

Juju

Quote from: DarkestEx on September 06, 2016, 11:01:17 pm
Quote from: Streetwalrus on September 06, 2016, 11:00:34 pm
As juju said, regular http works for browsers that don't support modern crypto.

Then it must be HTTPS resources on the front page making it not work.
As I said.

And as I said, we got everything covered to offer you a potable experience on old browsers.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

One issue with SMF plugins is that they sometimes require us to use absolute links rather than relative. I wish the URL tag allowed us to use relative links.

gameblabla

img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.

DJ Omnimaga

To be honest, when we switched to LE I thought this would solve all our sub-domain cert issues. @Juju and @Streetwalrus should indeed fix this. Plus this would allow us to finally use SSL for the WalrusIRC smileys and other things.

Streetwalrus

December 05, 2016, 05:40:35 am #65 Last Edit: December 05, 2016, 05:43:03 am by Ş̴̀t̵́́͜͝r͏͝é̷̢͝e̢̨̡̕͟t̢̀́͢͠w̕̕á̷̧ļ҉̸́̕r̶҉̵̴͞u͟͝҉ş̴̀ ̶͏
Quote from: gameblabla on December 05, 2016, 01:20:59 am
img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.

Https is not enabled on that subdomain, I have no idea how this is happening.
Let's Encrypt can't fix anything, all it does is give us certs for free. We need to take care of things.

Edit: actually it's probably trying to serve the default subdomain, pretty sure that's the issue.

DJ Omnimaga

Ah that might explain it. I recall trying one of the sub-domain on https and it redirected to a Rick Astley pic.

I think we should enable https on all subdomains.

Juju

Ah yeah, HTTPS might not be enabled on all domains in the webserver's config, nothing to do with Let's Encrypt.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga


Streetwalrus


Juju

Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

Streetwalrus

Yeah, just need a little bit of setup, shouldn't be hard at all.
Would be cool if nginx supported variables/macros in the config so we could just add an include line and add the domain to acmetool, and boom, https.

Juju

Ah yeah, that would be fun. I think nginx supports variables. Probably.

The best would be to renew the certs directly in the config and I think it's possible.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

Streetwalrus

I already have this thing set up, you just tell it that you want certs for a given subdomain and it will check and renew them on a cronjob.
The only problem is the nginx config, lots of copy-pasta. Also our current config is a bit messy. :P

gameblabla

Bump.
More and more browsers are now complaining about insecure connections.
And while codewalr.us does support HTTPS, there are some issues :
- The fact on the frontpage, some images uses http: rather than https:. Should be fairly trivial to fix.
- Cookies do not use the HttpOnly and Secure flags. Should be done for security

I believe it should be made HTTPS-only because even on older operating systems like NT 4.0, it is possible to visit secure websites with TLS 1.0 and all.
As for browsers that do not support HTTPS, i honestly doubt they can support codewalr.us properly anyway.
Preferably, codewalrus should also support CSP, here are the csp settings i use for my website.


Header always set Content-Security-Policy "default-src 'none' ; base-uri 'none';
frame-ancestors 'none'; form-action 'none';
font-src 'self'; child-src 'none'; script-src 'self'; object-src 'none';
connect-src 'none'; style-src 'self'; img-src 'self';"


Of course, since codewalrus supports scripting, you should tweak them according to your needs.

You can use the observatory by Mozilla for more info :
https://observatory.mozilla.org

Powered by EzPortal