download updates via HTTPS


(darix) #1

With the rise of Letsencrypt there is no excuse not to anymore. given that this is basically downloading code that will be executed on the users computer, this should really come over a secure connection.

@patdavid and me an help you with LE questions. (others probably too)


(David Tschumperlé) #2

Sounds like a good idea.
I’m totally unfamiliar with how these things work actually. What would it imply ? How do you see the thing working ?


(Kees Guequierre) #3

As you are running apache on gmic.eu. Just use certbot to setup https + letsencrypt. Certbot is included in most distributions.

It should be relative painless to switch to https.


(David Tschumperlé) #4

I admit I’m using a not-so-expensive external hosting service for gmic.eu, so I cannot tweak the web server as I want.
I’ll see what they offer, and if this service is available in my hosting contract.


(darix) #5

We use dehydrated for discuss.pixls.us.


(darix) #6

Maybe your webhoster offers LetsEncrypt integration already. I mean it doesn’t cost them much to add that.

Also how does an user verify that the file on that webhoster is unmodified and really still what you uploaded?


(David Tschumperlé) #7

OK, so finally, it seems the web server is already configured for https connexions.
I’ll simply force the update file to use a https:// address instead of a http:// one.


(Kees Guequierre) #8

Maybe just redirect the whole http://gmic.eu to https://gmic.eu


(darix) #9

+1

and if you can HSTS header.


(David Tschumperlé) #10

Yes, that is what I’m doing right now.
And it seems to work so far.

Don’t know what this thing is, so please elaborate :slight_smile:


(darix) #11

For apache:

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"

For nginx:

add_header Strict-Transport-Security max-age=15768000;

With this header in the SSL vhost … the client will go directly to the https site for the configured time, if it has been there once.

So even if you type http://gmic.eu/ it will load the https site.


(David Tschumperlé) #12

Ah ok ok.
Don’t know how I can do this with my hosting service, but I will check.


(darix) #13

One important bit to check when you force the site to https:

links to local and 3rd party resources have to use https as well.

so either always use

https://somehost/somepath

or

//somehost/somepath

The 2nd syntax will reuse the same protocol type as the current page.


(David Tschumperlé) #14

Looks like this thing is working too :slight_smile: Thanks !