Comments (8)
ignoramous
commented on May 15, 2024
1
But I am confused how Cloudflare is inserting these headers, as max even has a different NS!
NS in general has no bearing on TLS certificate issuance. It is just that the ACME protocol ties in TLS with NS. CDNs usually vend certs via ALPN challenges.
Cloudflare "controls" the rethinkdns.com TLD, and can issue certs for all its immediate subdomains, *.rethinkdns.com, which they do (or Workers and Pages wouldn't work over HTTPS).
from serverless-dns.
ignoramous
commented on May 15, 2024
1
If everything looks good, it may be set to 6 months as recommended or 1 year?
1yr sounds good to me.
from serverless-dns.
ignoramous
commented on May 15, 2024
Yikes. Better yet, set HSTS (despite its shortcomings): https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
For TLD rethinkdns.com HSTS can be enabled from the Cloudflare dashboard.
from serverless-dns.
amithm7
commented on May 15, 2024
@ignoramous Have enabled HSTS on rethinkdns.com and subdomains.
It works! For http://max.rethinkdns.com, response is:
HTTP/1.1 307 Internal Redirect
Location: https://max.rethinkdns.com/
Non-Authoritative-Reason: HSTS
(In the browser only; not via curl, though)
But I am confused how Cloudflare is inserting these headers, as max even has a different NS!
Have set max-age: 1 month (needed for subdomains). If everything looks good, it may be set to 6 months as recommended or 1 year?
from serverless-dns.
amithm7
commented on May 15, 2024
Have set max-age to 1 year.
from serverless-dns.
amithm7
commented on May 15, 2024
HSTS redirect to https from http only works when browser knows of HSTS on the domain.
To Reproduce, try opening http://max.rethinkdns.com/ from Incognito Window in Chrome, no redirects to https happen. But once you open https://max.rethinkdns.com/, redirects start working again.
I guess these Response headers come from browser itself:
HTTP/1.1 307 Internal Redirect
Location: https://max.rethinkdns.com/
Non-Authoritative-Reason: HSTS
Maybe HSTS Preload also needs to be enabled? https://hstspreload.org/?domain=rethinkdns.com
from serverless-dns.
ignoramous
commented on May 15, 2024
Preload lists are the achilles-heel of HSTS.
HSTS could be used in addition to the 3xx redirect? I am not sure:
- If DoH clients ever use non
HTTPSendpoints. - If DoH clients ever follow
HTTPredirects.
from serverless-dns.
amithm7
commented on May 15, 2024
@ignoramous
No, DoH clients weren't my concern.
https upgrade is needed for when someone would paste in a DoT hostname like 1-EAABAAA.max.rethinkdns.com in the browser and by default (in most browsers), it would try to connect over http. That's how I noticed this problem.
from serverless-dns.
Related Issues (20)
- how te see dns logs HOT 3
- My domain
- I keep seeing Google as DNS resolver HOT 2
- Is/Will the configuration page open sourced? HOT 4
- Google as dns resolvers? HOT 1
- Auto-schedule deploys HOT 7
- Error: Could not find App "rdns-dev" with fly.io HOT 1
- Nothing works when using rethink app HOT 2
- ✘ [ERROR] Command failed with exit code 1: npm run build HOT 1
- Offset out of range ip.toString
- Cloudflare deploy Project had an error Error HOT 1
- Please change DENO_ENV to another env name HOT 2
- CF: All jobs have failed HOT 14
- Can this be configured to use an Asus Router? Can URLs be blocked? HOT 2
- basic-unbound HOT 1
- Please help HOT 1
- Certificate expired on https://max.rethinkdns.com/rec
- RethinkDNS DoH and configuration page doesn't work HOT 2
- DNS (CF wokers) not working HOT 6
- Fly.io blocklist not working HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-dns.