GNU bug report logs - #37348
Force https redirect missing from ci, workflow and workflows guix.info sub-domains

Previous Next

Package: guix;

Reported by: "Collin J. Doering" <collin <at> rekahsoft.ca>

Date: Mon, 9 Sep 2019 02:50:02 UTC

Severity: normal

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 37348 <at> debbugs.gnu.org
Subject: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
Date: Tue,  2 Nov 2021 17:09:50 +0100

* hydra/nginx/berlin.scm (%berlin-servers): Add a default port-80 server
to redirect all requests to their HTTPS counterparts.  Remove explicit
HTTP support for guix.gnu.org and issues.guix.gnu.org.
---

All,

Like Chris I'm not convinced there was anything ‘missing’, but this is a
practice whose time has come and come again and left several voice mails
at this point.

People are going to keep asking for it.  The old ‘user choice’ argument
always rung hollow to me.  Shall we just do this?

This is a conservative patch: it only redirects guix.gnu.org and
issues.guix.gnu.org, the most (potential-)user-facing sites, to HTTPS.

CI should probably remain reachable over HTTP indefinitely.

Subprojects like GWL, friends like Bootstrappable, and anything else
retain ‘user choice’, until they opt in.

Kind regards,

T G-R

 hydra/nginx/berlin.scm | 42 +++++++-----------------------------------
 1 file changed, 7 insertions(+), 35 deletions(-)

diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 4713d7b..38854e3 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -797,31 +797,37 @@ PUBLISH-URL."
     (body (list "try_files $uri /$lang/$uri /$lang/$uri/index.html =404;")))
 
    (nginx-location-configuration                  ;certbot
     (uri "/.well-known")
     (body (list "root /var/www;")))))
 
 (define guix.gnu.org-locations
   (append guix.gnu.org-redirect-locations
           (guix.gnu.org-redirects-for-each-language)
           guix.gnu.org-other-locations))
 
 (define %publish-url "http://localhost:3000")
 
 (define %berlin-servers
   (list
-   ;; Plain HTTP
+   ;; Redirect domains that don't explicitly support HTTP (below) to HTTPS.
+   (nginx-server-configuration
+    (listen '("80"))
+    (raw-content
+     (list "return 308 https://$host$request_uri;")))
+
+   ;; Domains that still explicitly support plain HTTP.
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("ci.guix.gnu.org"))
     (locations (berlin-locations %publish-url))
     (raw-content
      (list
       "access_log  /var/log/nginx/http.access.log;"
       "proxy_set_header X-Forwarded-Host $host;"
       "proxy_set_header X-Forwarded-Port $server_port;"
       "proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("bootstrappable.org"
                    "www.bootstrappable.org"))
@@ -829,64 +835,30 @@ PUBLISH-URL."
     (raw-content
      (list
       "access_log /var/log/nginx/bootstrappable.access.log;")))
 
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("disarchive.guix.gnu.org"))
     (root "/gnu/disarchive")
     (raw-content
      ;; Tell nginx to always read 'FILE.gz' when asked for 'FILE', and to
      ;; gunzip it on the fly (because the client for this typically doesn't
      ;; properly support gzip encoding).
      (list "gzip_static always; gunzip on;\n"
            "access_log /var/log/nginx/disarchive.access.log;")))
 
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("guix.gnu.org"))
-    (root "/srv/guix.gnu.org")
-    (locations guix.gnu.org-locations)
-    (raw-content
-     (list
-      "add_header Content-Security-Policy \"frame-ancestors 'none'\";"
-
-      ;; TODO This works around NGinx using the epoch for the
-      ;; Last-Modified date, as well as the etag.
-      ;; See http://issues.guix.gnu.org/37207
-      "add_header Last-Modified \"\";"
-      "if_modified_since off;"
-      "etag off;"
-
-      "rewrite (.*)/$ $1/index.html;"
-      "access_log /var/log/nginx/guix-info.access.log;")))
-
-   (nginx-server-configuration
-    (listen '("80"))
-    (server-name '("issues.guix.gnu.org"))
-    (root "/home/rekado/mumi/")
-    (locations
-     (list (nginx-location-configuration ;certbot
-            (uri "/.well-known")
-            (body (list "root /var/www;")))
-           (nginx-location-configuration
-            (uri "/")
-            (body '("proxy_pass http://localhost:1234;")))))
-    (raw-content
-     (list
-      "access_log /var/log/nginx/issues-guix-info.access.log;")))
-
    (nginx-server-configuration
     (listen '("80"))
     (server-name '("guixwl.org"
                    "www.guixwl.org"))
     (root "/home/rekado/gwl/")
     (locations
      (list (nginx-location-configuration ;certbot
             (uri "/.well-known")
             (body (list "root /var/www;")))
 
            (nginx-location-configuration
             (uri "/manual")
             (body (list "alias /srv/gwl-manual;")))
 
            ;; Pass requests to 'guix workflow --web-interface'.

base-commit: 9782bc16ef4384171c7b7381ad27a4b9ba60ca61
-- 
2.33.0
This bug report was last modified 3 years and 185 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.