Comments (14)
Also, https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security would be good.
from mathdown.
re HSTS: http://blog.nvisium.com/2014/04/is-your-site-hsts-enabled.html, https://news.ycombinator.com/item?id=7646215
from mathdown.
- Request a SHA-2 cert: https://kuix.de/blog/index.php?entry=SSL/TLS-servers,-SHA-1/SHA-256-and-StartSSL.com-certificates
from mathdown.
Now works on Heroku: https://mathdown.herokuapp.com. Custom domain SSL requires $20/month.
and on Openshift: https://mathdown-cben.rhcloud.com. Custom domain SSL also costs $20/month and I can't even upgrage my account to pay.
git push to heroku deploys in 50seconds, to rhcloud in ridiculous 13minutes :-(
mathdown.com domain (using it as testbed before switching mathdown.net) is now managed by Cloudflare, CNAMEing to mathdown.herokuapp.com.
Cloudflare offers free SSL certs between it and users but "full SSL strict" validation between it and the heroku/openshift backend fails unless the server presents a cert for the custom domain (mathdown.com).
There seems to be no way to tell them to validate heroku's certificate.
They offer "full SSL" (not strict) / "flexible SSL" modes without validation/encryption to backend but that's snake oil.
I'll probably stay on Clouldflare DNS anyway, don't know yet if I want them as men in the middle.
Cloudflare can't currently support HSTS.
Plan: pay for heroku SSL for now, later investigate just running on $5–10 Digital Ocean (deployed with Terraform and/or docker via tutum.co).
For forks, Heroku button and free HTTPS on foo.herokuapp.com domains is fine.
- Currently server.coffee is logging URLs to stdout, including
doc=secret
part. Should probably stop. Heroku and Openshift logs are not public, but logs do get around during debugging, containing user secrets is bad idea.
from mathdown.
Forgot to mention wrt initial comment here:
- I need dynamic server for #7 anyway (spiderable docs). Also nice for #59 (pretty mathdown.net/SECRET urls).
- Github pages does nowdays support HTTPS on https://cben.github.io/mathdown/ — but not on custom domains. Clouldflare isn't a gratis solution for the same reason as with heroku.
- I intend to keep ability to run from GH Pages or local checkout (without #7, #59) for trivial fork demoing.
See #57 for more details on moving away from Github pages.
from mathdown.
For the record: any hosting without dedicated IP relies on SNI to present correct cert.
This is generally fine; the main group it leaves in the dark is Android 2.x default browser, and IE8 on XP.
=> I'm fine with SNI.
from mathdown.
Comparing free HTTPS config of Heroku vs OpenShift (aka rhcloud) – at their wildcard cert subdomains:
https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.herokuapp.com&s=23.21.143.20&latest
=> B for "accepts the RC4 cipher, which is weak" (handshake simulation shows RC4 would only be used by IE8 on XP, which won't work due to SNI anyway).
https://www.ssllabs.com/ssltest/analyze.html?d=mathdown-cben.rhcloud.com&latest
=> A despite "Certificate uses a weak signature." (SHA1)
from mathdown.
Yay, https://mathdown.com now works!
Got StartSSL cert for mathdown.com, deployed on Openshift (https://mathdown-cben.rhcloud.com), Cloudflare DNS points to Openshift, working through Cloudflare with "Full SSL (strict)" (= Cloudflare is MITM but is verifying the openshift server presents a valid cert for mathdown.com).
SSLLabs report: https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.com&s=104.28.6.62
surprisingly this shows Fail due to SNI or crypto mismatch for a lot of clients, while the above tests with Heroku/OpenShift's SNI only had 1 or 2 Fails.
And I tried https://mathdown.com on IE8 on XP on Saucelabs, and it worked. Weird, not sure how "real" that XP is.
Crypto mismatch is less suprpising — while Cloudflare as a CDN should want wide interoperability, they did optimize their free TLS implementation.
About Cloudflare
Wait, did I just say Cloudflare are doing Man-In-The-Middle? With HTTPS?!? Yes.
It's a bit bizzare, and only goes to show how unsecure the CA system is.
In Sep 2014 they announced free TLS for everybody.
How does it work?
For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains.
They can do that, without asking me, because by controlling my DNS and can "prove" ownership of the domain. So they made deal with a couple CAs to mint certs for them [see https://news.ycombinator.com/item?id=8382335 for discussions]. The cert in my case:
Alternative names
sni39464.cloudflaressl.com *.kagetora.nl *.koloso.be *.linkea.do *.mathdown.com *.mnaz.me *.movieq.biz *.nautilus-jp.com *.r-3.okinawa *.xn--treciwyspis-gfc.pl kagetora.nl koloso.be linkea.do mathdown.com mnaz.me movieq.biz nautilus-jp.com r-3.okinawa xn--treciwyspis-gfc.pl
IssuerCOMODO ECC Domain Validation Secure Server CA 2
The technical reason I want them to control my DNS is that they provide free DNS with CNAME at the apex.
Anyway, I have a strong impression Cloudflare are very competent and a force for good.
But will I keep them as CDN, or only as DNS?
- Pro: CDN = caching and latency
- Con: extra complexity dev/prod parity
- It seems I'm not serving sensible caching headers, must sort that out first before sprinkling magic CDN dust.
- Pro: they add IPv6 support (Heroku nor Openshift only have IPv4 addresses)
=> I think I'll disable CF as CDN for now.
from mathdown.
About mathdown.com vs mathdown.net:
I started with .com to experiment. Now will get .net certificate, and move .net DNS to Cloudflare.
But I'm not sure if Openshift can serve 2 custom certificates. And StartSSL requires level 2 validation to produce 1 cert with both .com and .net as AltNames. [If a problem, will buy from sslmate]
from mathdown.
Moved .net DNS to cloudflare (still pointing to Github Pages, turned SSL off)
Replaced fixed GH pages A addresses with CNAME ("flattened" by CF) to cben.github.io - works.
from mathdown.
Got also a mathdown.net
cert, added to RHcloud* (turned out they support multiple domains with separate certs trivially).
*I've been mostly refering to it as Openshift but to be precise Openshift is the (open source) software and RHcloud is the openshift hosting run by RedHat.
from mathdown.
TODO: intelligent redirects (and/or rel=canonical) http->https, and .com -> .net.
- Want both server-side redirect from server.js and client side for GH Pages https.
- Should look into libs for running same routing logic on client and server.
- Openshift (and probably Heroku) terminate TLS in the reverse proxy; need to check x-forwarding
[https://help.openshift.com/hc/en-us/articles/203263674-What-external-ports-are-available-on-OpenShift-]
good checklist doc for migration to HTTPS: https://docs.google.com/document/d/1oRXJUIttqQxuxmjj2tgYjj096IKw4Zcw6eAoIKWZ2oQ/edit#
- Verify no mixed-content errors? Currently clean but see if this can ensured in tests.
- HSTS should be possible simply by setting response header.
from mathdown.
I flipped mathdown.net DNS yesterday to RHcloud (yay!) but turns out I miscofigured certs:
https://mathdown.net and https://mathdown.com/ work but with www. they give error:
This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
And similarly:
This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
from mathdown.
Just to conclude: https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.net :-)
Main caveat: This site works only in browsers with SNI support.
Opening new issue(s) for redirects & HSTS followup.
from mathdown.
Related Issues (20)
- Sub-documents a-la dontpad.com?
- smart Home key
- TLS certs from Let's Encrypt HOT 5
- [Sauce tests] microsoftedge 20.10240 environment you requested was unavailable
- iPad simulator 5.1 unavailable HOT 2
- HTTP 2.0 HOT 1
- UI Like StackEdit HOT 2
- Future of Mathdown: simplify, upstream
- Migrate from Openshift v2 by end of September/December HOT 9
- Move to Gitlab Pages? HOT 1
- cursor invisible in column 0
- [Android] literal text is not monospace HOT 1
- Safari tests fail Uncaught Error: no value passed to Element constructor HOT 2
- An in-range update of chalk is breaking the build 🚨 HOT 1
- Use Sauce labs API to find oldest supported browser versions HOT 3
- Do I need `monospace, monospace` font size fix? HOT 1
- Upgrade Heroku stack
- fonts: *Emphasis* not shown as italics because of David CLM HOT 5
- npm WARN deprecated [email protected]: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
- Move off Travis CI
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mathdown.