Closed IBwWG closed 7 years ago
The official home page is https://mithril.js.org, but it exhibits the same issue. This is due to the fact that these are just forwarding requests to GitHub pages, which are served with the GH certificate.
I think the project would need dedicate hosting to serve an appropriate cert.
Another option might be using a CDN that serves site contents with HTTPS; for instance, CloudFlare.
Github recently started enforcing TLS on Github Pages, so I would assume there should be some kind of working configuration to support custom domains already (but couldn't find one with a quick google). Some DNS providers have a "github forward" setting for domains, but I can't recall what exactly it did. IIRC that worked with TLS, but at the time there wasn't a reliable way to force https connections which would have been the only issue to me at the time.
AFAIK, since you're forwardng to GH, you run into a similar issue for the Cloudflare => GitHub link that still must be in clear, while you give the users the illusion that data integrity is guaranteed...
Is there a way to setup GitHub pages with a custom domain and a CloudFlare proxy with guaranteed end-to-end encryption?
Edit, I missed @orbitbot's reply, apparently it might be possible...
Actually, working through a site setup right now, it seems that GH cannot enforce TLS with a custom domain. I was not able to avoid the certificate issue with A
records, and unfortunately don't have access to a DNS provider that would support ALIAS
or ANAME
configs right now. Might still be possible with the latter approaches, but I can't confirm.
I do not have any issues adding a domain name to Cloudflare, adding the two A-records and enforcing TLS using HSTS.
https://www.ssllabs.com/ssltest/analyze.html?d=websectools.com&hideResults=on&latest
And preloading does also work ;-)
https://hstspreload.org/?domain=websectools.com
So you need at least a proy for the TLS certificate and HSTS. But it works without any issues.
Some resources: https://blog.keanulee.com/2014/10/11/setting-up-ssl-on-github-pages.html https://sheharyar.me/blog/free-ssl-for-github-pages-with-custom-domains/
A working HSTS setting (and possibly HPKP if you want more security and also CAA) should be enough for this.
Quoting the first post:
Drawbacks
It’s important to note that this setup is not fully secure - the connection between CloudFlare and GitHub pages is not secured. Since GitHub doesn’t have a SSL certificate for your domain, Full SSL is not possible with a custom domain. However, this setup does provide some protection your users (e.g. from the hacker on the same unsecured Wi-Fi network), and it allows your site to behave as if it has SSL (e.g. for web crawlers, APIs).
You will be baked, and then there will be cake...
CloudFlare should support talking to a *.github.io
domain over HTTPS though, right? Those have valid HTTPS certs, see https://tivac.github.io/
IIRC you can't map https://project.com
to https://user.github.io/project
through Cloudflare. That was my conclusion maybe two years ago when I looked into the problem, but I may be wrong.
Is it really an issue if the connection between GitHub and Cloudflare is not fully secured? Fact is, the bad certificate warning is gone after this and the website is also available over https. For better security and full transport encryption use own hosting and git pull from the repo using webhooks.
Closing, since this issue has not been updated in over a month, and typically, issues inactive for that long do not usually produce any action. If you feel something in Mithril needs added or changed, please file a new issue.
Well, if someone ever does want to take this up again, @pygy I just happened across an article that may address mapping apex domains through Cloudflare: https://www.toptal.com/github/unlimited-scale-web-hosting-github-pages-cloudflare#find-wise-software-architect-experts
This is fixed, turns out it was a simple config change necessary on the js.org side, https://github.com/js-org/dns.js.org/pull/1150
Description:
Attempting to connect via HTTPS to the main mithril site gives an error.
Steps to Reproduce:
Go to https://mithriljs.org/
Expected:
see the site
Actual: