Closed rugk closed 6 years ago
GitHub pages (where editorconfig.org is hosted) doesn't support https for custom domain at the moment. See https://help.github.com/articles/securing-your-github-pages-site-with-https/
It does work (really well) if you use Cloudflare: https://hackernoon.com/set-up-ssl-on-github-pages-with-custom-domains-for-free-a576bdf51bc
That is an interesting solution! Was not aware of that! Not sure who should create the cloudflare account to test/setup this.
I don't think it is a good idea to have two levels of CDNs, which would slow things down. In addition, CloudFlare does not provide a real SSL certificate -- it's all theirs and the point of having an HTTPS website is dismissed.
Yes, Cloudflare is debutable considering their "HTTPS interception built-in" approach. But, no, it won't be slower… (GitHub Pages uses Fastly, BTW, AFAIK)
@rugk The reason for which it would be slower is because we now have two layers of CDNs.
Yeah, but Cloudflare also caches (at least optionally), so you won't notice it.
@treyhunner What do you think?
I tried this on my personal blog a some time back and ended up backing out of it due to some Cloudflare limitation and I don't remember what it was. I think it was a mix of some HTTP-only embedded content and the fact that some of my friends smart phones didn't work with the Cloudflare certificates so my blog started showing security warnings.
My thoughts are that this is not a big priority in my opinion, given that the website is currently just a single page of documentation.
My thoughts are that this is not a big priority in my opinion, given that the website is currently just a single page of documentation.
:arrow_right: https://doesmysiteneedhttps.com/
See "There's nothing sensitive on my site anyway." there.
Actually Cloudflare should work quite well (they really care about old phones and so on, not sure what your friends experienced, likely either fixed or a different issue) and I hope you have not many resources embedded on this project site, so… So as for technical issues I think you really don't need worried about Cloudflare.
@rugk Can you suggest a host which accept HTTPS hosting and is easily accessible to all developers? As I mentioned before, if we use CloudFlares, the point to use HTTPS is dismissed (no middleman attack). If there is no proper place for such type of hosting for open source projects, perhaps someone should start such a service?
GitLab does have support for https on custom domains, but Let's Encrypt is a bit hard to use for that because you have copy and paste the certs manually every 90 days.
@ffes I found this: free ssl certificate for open source projects. Do you have any experience with them?
@xuhdev No, that's new to me.
I have contacted GlobalSign and am waiting for their response to grant us a free certificate.
GitHub now allows custom domains to be served under HTTPS!
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/
@xuhdev Any change to look into this.
As described in the blog post above, the A
records needs to changed for HTTPS to work. Once that is done HTTPS should work and then it can be enforced with a checkbox.
@ffes I did not get any response from GlobalSign. No matter what, we need a certificate, don't we?
As @TheSeg mentioned, GitHub pages supports https.
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/
@ffes I see, they are partnering with lets encrypt. @treyhunner Can you update the A
record? Enforcing HTTPS would still be bad if we use this approach, since lets-encrypt is not widely trusted (yet).
Enforcing HTTPS would still be bad if we use this approach, since lets-encrypt is not widely trusted (yet).
They are not directly in all root cert stores, but they have a cross-signature from Identrust, which has been available quite some time (years?) before LE even started. That's why you could and can use Let's Encrypt without having to worry about old devices/browsers not being able to access your site.
In any case, TL;DR: Enable HTTPS and force it.
@treyhunner Can you update the A
record? Thanks.
@xuhdev just updated the A records. It may take a little while to propagate.
I see the 4 A
-records are set as described in https://help.github.com/articles/setting-up-an-apex-domain/
$ dig editorconfig.org +noall +answer
; <<>> DiG 9.10.3-P4-Ubuntu <<>> editorconfig.org +noall +answer
;; global options: +cmd
editorconfig.org. 822 IN A 185.199.110.153
editorconfig.org. 822 IN A 185.199.109.153
editorconfig.org. 822 IN A 185.199.111.153
editorconfig.org. 822 IN A 185.199.108.153
But https://editorconfig.org/ doesn't work yet. It still give a certificate error.
Do you need to set a switch somewhere to accomplice that? (I don't see a need for that in the docs)
@ffes Have you set the "Force HTTPS" setting? I had to do that on a different domain hosted on GitHub.
https://help.github.com/articles/securing-your-github-pages-site-with-https/
It says the certificate requires 24 hours to be issued. We simply have to wait.
it works now! 🎉 https://editorconfig.org/ is live! i'll open a quick PR to update a couple of places where http://editorconfig.org is referenced
Done. #92
Done!
It would be nice if http://editorconfig.org/ supports HTTPS.