download updates via HTTPS

(darix) #1

With the rise of Letsencrypt there is no excuse not to anymore. given that this is basically downloading code that will be executed on the users computer, this should really come over a secure connection.

@patdavid and me an help you with LE questions. (others probably too)

(G'MIC staff) #2

Sounds like a good idea.
I’m totally unfamiliar with how these things work actually. What would it imply ? How do you see the thing working ?

(Kees Guequierre) #3

As you are running apache on Just use certbot to setup https + letsencrypt. Certbot is included in most distributions.

It should be relative painless to switch to https.

(G'MIC staff) #4

I admit I’m using a not-so-expensive external hosting service for, so I cannot tweak the web server as I want.
I’ll see what they offer, and if this service is available in my hosting contract.

(darix) #5

We use dehydrated for

(darix) #6

Maybe your webhoster offers LetsEncrypt integration already. I mean it doesn’t cost them much to add that.

Also how does an user verify that the file on that webhoster is unmodified and really still what you uploaded?

(G'MIC staff) #7

OK, so finally, it seems the web server is already configured for https connexions.
I’ll simply force the update file to use a https:// address instead of a http:// one.

(Kees Guequierre) #8

Maybe just redirect the whole to

(darix) #9


and if you can HSTS header.

(G'MIC staff) #10

Yes, that is what I’m doing right now.
And it seems to work so far.

Don’t know what this thing is, so please elaborate :slight_smile:

(darix) #11

For apache:

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"

For nginx:

add_header Strict-Transport-Security max-age=15768000;

With this header in the SSL vhost … the client will go directly to the https site for the configured time, if it has been there once.

So even if you type it will load the https site.

(G'MIC staff) #12

Ah ok ok.
Don’t know how I can do this with my hosting service, but I will check.

(darix) #13

One important bit to check when you force the site to https:

links to local and 3rd party resources have to use https as well.

so either always use




The 2nd syntax will reuse the same protocol type as the current page.

(G'MIC staff) #14

Looks like this thing is working too :slight_smile: Thanks !