MISC-21: Move projects. to HTTPS

Issue Information

Issue Type: Task
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Miscellaneous (MISC)
Resolution: Done (2017-07-06 15:12:37)
Affects Version: HTTPS All the Things,
Target version: HTTPS All the Things,
Labels: HTTPS,

Created: 2017-07-06 10:34:40
Time Spent Working


Description
This has been on hold for quite some time due to being blocked by a few things (I'm sure there was an earlier JIRA issue for it, but I can't seem to find it).

Initial blockers were/are

- BUGGER not playing well with HTTPS (effectively resolved under BUGGER-1)
- HTTP Transparent proxy detection scripts need HTTP not HTTPS
- Projectsstatic is currently http only



Issue Links

CCtrl 148
Toggle State Changes

Activity


2017-07-06 10:39:31
The solution I've fallen back on with the transparent proxy detection stuff is just to set up a new subdomain dedicated to those. That'll be HTTP only.

Can then set up a redirect so that any uses of the old URL will just redirect to the HTTP version.

In the interim though, I just won't redirect that location to HTTPS

I configured the LetsEncrypt master to grab a cert for projects.bentasker.co.uk back in May, so it's already available across the edge, will just need to configure the CDN to actually serve that domain via HTTPS.

Will also need to set up HTTPS for projectsstatic. Not much can be done about any existing links, but it should at least ensure that all new links are HTTPS.

2017-07-06 10:45:27
Commit 1cfa45f in domains.d enables HTTPS delivery for projects.bentasker.co.uk. Need to give that time to propagate across the edge before I can think about setting up the redirect.

2017-07-06 10:45:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 - Configure HTTPS delivery for projects.bentasker.co.uk
-------------------------


Repo: domains.d
Host:astria

commit 1cfa45f3382c45944c5647e06a39b76f0d55bfd1
Author: root <root@astria>
Date: Thu Jul 6 10:54:49 2017 +0100

Commit Message: MISC-21 - Configure HTTPS delivery for projects.bentasker.co.uk

projects.bentasker.co.uk.conf | 76 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 76 insertions(+)


View Commit | View Changes


2017-07-06 10:51:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 Enable LEMaster location block
-------------------------


Repo: domains.d
Host:astria

commit e246f569bfa45ea7f9a5bdd5cd57b90f22263a14
Author: root <root@astria>
Date: Thu Jul 6 10:56:49 2017 +0100

Commit Message: MISC-21 Enable LEMaster location block

projects.bentasker.co.uk.conf | 8 ++++++++
1 file changed, 8 insertions(+)


View Commit | View Changes


2017-07-06 10:57:20
In the meantime, have generated a LetsEncrypt cert for projectsstatic, just need to wait for it to propogate it out so that I can deploy the initial config.

2017-07-06 11:15:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 - Redirect http to https for projects.bentasker.co.uk
 - We don't redirect the LEMaster block (currently, will later,
 as LE supports it)
 - We also don't redirect the Transparent Proxy checker location. This is an
 interim measure until it's been moved onto a dedicated subdomain.
 The side effect of these is that we cannot yet enable HSTS
-------------------------


Repo: domains.d
Host:astria

commit 1f6338e5ac17b9bef889767d6b24ce7d8ba0d9ab
Author: root <root@astria>
Date: Thu Jul 6 11:18:14 2017 +0100

Commit Message: MISC-21 - Redirect http to https for projects.bentasker.co.uk

- We don't redirect the LEMaster block (currently, will later, as LE supports it)
- We also don't redirect the Transparent Proxy checker location. This is an interim measure until it's been moved onto a dedicated subdomain.

The side effect of these is that we cannot yet enable HSTS

projects.bentasker.co.uk.conf | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)


View Commit | View Changes


2017-07-06 12:33:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 Enable HTTPS for projectsstatic
 Also corrects a naming inconsistency on the config file (missing .conf)
-------------------------


Repo: domains.d
Host:astria

commit ea5a2d659cc0b1a15a111dfaeb36595eb910e869
Author: root <root@astria>
Date: Thu Jul 6 12:36:54 2017 +0100

Commit Message: MISC-21 Enable HTTPS for projectsstatic

Also corrects a naming inconsistency on the config file (missing .conf)

projectsstatic.bentasker.co.uk | 39 ----------------
projectsstatic.bentasker.co.uk.conf | 89 +++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+), 39 deletions(-)


View Commit | View Changes


2017-07-06 14:19:31
Got sidetracked, but the config has now had time to propagate around the CDN.

http://projects.bentasker.co.uk now redirects to https (with the exception of the transparent proxy check, and the LetsEncrypt requests)

Will add the redirect for projectsstatic now

2017-07-06 14:22:39
Also need to update the routing to require protocol https for anything resolution requests for those domains.... done

2017-07-06 14:27:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 redirect http to https for projectsstatic
-------------------------


Repo: domains.d
Host:astria

commit 5c51edb38ac90884aaf1c515c075b66143965bb6
Author: root <root@astria>
Date: Thu Jul 6 14:31:44 2017 +0100

Commit Message: MISC-21 redirect http to https for projectsstatic

projectsstatic.bentasker.co.uk.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)


View Commit | View Changes


2017-07-06 14:35:46
So the next thing to think about is moving the transparent proxy detection stuff to a new subdomain so that HSTS can be added to projects and projectsstatic (particularly important given the number of inbound links pointing at http: urls)

2017-07-06 15:05:31
OK, I've created tpcheck.bentasker.co.uk and made the script the root of that subdomain. DNS has been updated, so just need to add a redirect to the projects config.

Makes sense to enable HSTS at the same time.

2017-07-06 15:09:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 create record for tpcheck.bentasker.co.uk
-------------------------


Repo: chaos_dns
Host:hiyori

commit 3c219df46f945c19c0edd08891708c93f71e0789
Author: root <root@<Domain Hidden>>
Date: Thu Jul 6 15:05:48 2017 +0100

Commit Message: MISC-21 create record for tpcheck.bentasker.co.uk

bentasker.co.uk.zone | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)


View Commit | View Changes


2017-07-06 15:12:30
HSTS has been enabled, so that should be pretty much everything done on this issue now. At least until something breaks :)

2017-07-06 15:12:37
btasker changed status from 'Open' to 'Resolved'

2017-07-06 15:12:37
btasker added 'Done' to resolution

2017-07-06 15:12:40
btasker changed status from 'Resolved' to 'Closed'

2017-07-06 15:15:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 Enable HTTP Strict Transport Security for projects and
 projectsstatic
-------------------------


Repo: domains.d
Host:astria

commit d3bc8add261e3e5491e2df3f0d7f901f5f572a23
Author: root <root@astria>
Date: Thu Jul 6 15:21:54 2017 +0100

Commit Message: MISC-21 Enable HTTP Strict Transport Security for projects and projectsstatic

projects.bentasker.co.uk.conf | 3 +++
projectsstatic.bentasker.co.uk.conf | 1 +
2 files changed, 4 insertions(+)


View Commit | View Changes


2017-07-06 15:15:30 
-------------------------
From: git@<Domain Hidden>
To: jira@<Domain Hidden>
Date: None
Subject: MISC-21 redirect TP check script to new dedicated domain
-------------------------


Repo: domains.d
Host:astria

commit 2d3d1e07d62681b7938d4b558c71768fd099293f
Author: root <root@astria>
Date: Thu Jul 6 15:18:59 2017 +0100

Commit Message: MISC-21 redirect TP check script to new dedicated domain

projects.bentasker.co.uk.conf | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)


View Commit | View Changes