Comments (8)
But I am confused how Cloudflare is inserting these headers, as max even has a different NS!
NS
in general has no bearing on TLS certificate issuance. It is just that the ACME protocol ties in TLS with NS
. CDNs usually vend certs via ALPN challenges.
Cloudflare "controls" the rethinkdns.com
TLD, and can issue certs for all its immediate subdomains, *.rethinkdns.com
, which they do (or Workers and Pages wouldn't work over HTTPS).
from serverless-dns.
If everything looks good, it may be set to 6 months as recommended or 1 year?
1yr sounds good to me.
from serverless-dns.
Yikes. Better yet, set HSTS (despite its shortcomings): https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
For TLD rethinkdns.com
HSTS can be enabled from the Cloudflare dashboard.
from serverless-dns.
@ignoramous Have enabled HSTS on rethinkdns.com
and subdomains.
It works! For http://max.rethinkdns.com
, response is:
HTTP/1.1 307 Internal Redirect
Location: https://max.rethinkdns.com/
Non-Authoritative-Reason: HSTS
(In the browser only; not via curl, though)
But I am confused how Cloudflare is inserting these headers, as max
even has a different NS
!
Have set max-age: 1 month (needed for subdomains). If everything looks good, it may be set to 6 months as recommended or 1 year?
from serverless-dns.
Have set max-age to 1 year.
from serverless-dns.
HSTS redirect to https
from http
only works when browser knows of HSTS on the domain.
To Reproduce, try opening http://max.rethinkdns.com/
from Incognito Window in Chrome, no redirects to https
happen. But once you open https://max.rethinkdns.com/
, redirects start working again.
I guess these Response headers come from browser itself:
HTTP/1.1 307 Internal Redirect
Location: https://max.rethinkdns.com/
Non-Authoritative-Reason: HSTS
Maybe HSTS Preload also needs to be enabled? https://hstspreload.org/?domain=rethinkdns.com
from serverless-dns.
Preload lists are the achilles-heel of HSTS.
HSTS could be used in addition to the 3xx redirect? I am not sure:
- If DoH clients ever use non
HTTPS
endpoints. - If DoH clients ever follow
HTTP
redirects.
from serverless-dns.
@ignoramous
No, DoH clients weren't my concern.
https
upgrade is needed for when someone would paste in a DoT hostname like 1-EAABAAA.max.rethinkdns.com
in the browser and by default (in most browsers), it would try to connect over http
. That's how I noticed this problem.
from serverless-dns.
Related Issues (20)
- how te see dns logs HOT 3
- My domain
- I keep seeing Google as DNS resolver HOT 2
- Is/Will the configuration page open sourced? HOT 4
- Google as dns resolvers? HOT 1
- Auto-schedule deploys HOT 7
- Error: Could not find App "rdns-dev" with fly.io HOT 1
- Nothing works when using rethink app HOT 2
- ✘ [ERROR] Command failed with exit code 1: npm run build HOT 1
- Offset out of range ip.toString
- Cloudflare deploy Project had an error Error HOT 1
- Please change DENO_ENV to another env name HOT 2
- CF: All jobs have failed HOT 14
- Can this be configured to use an Asus Router? Can URLs be blocked? HOT 2
- basic-unbound HOT 1
- Please help HOT 1
- Certificate expired on https://max.rethinkdns.com/rec
- RethinkDNS DoH and configuration page doesn't work HOT 2
- DNS (CF wokers) not working HOT 6
- Fly.io blocklist not working HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-dns.