editorconfig / editorconfig.github.com

Configuration file format for defining coding styles in shared projects
http://editorconfig.org
Other
267 stars 42 forks source link

HTTPS #66

Closed rugk closed 6 years ago

rugk commented 8 years ago

It would be nice if http://editorconfig.org/ supports HTTPS.

ffes commented 8 years ago

GitHub pages (where editorconfig.org is hosted) doesn't support https for custom domain at the moment. See https://help.github.com/articles/securing-your-github-pages-site-with-https/

coliff commented 7 years ago

It does work (really well) if you use Cloudflare: https://hackernoon.com/set-up-ssl-on-github-pages-with-custom-domains-for-free-a576bdf51bc

ffes commented 7 years ago

That is an interesting solution! Was not aware of that! Not sure who should create the cloudflare account to test/setup this.

xuhdev commented 7 years ago

I don't think it is a good idea to have two levels of CDNs, which would slow things down. In addition, CloudFlare does not provide a real SSL certificate -- it's all theirs and the point of having an HTTPS website is dismissed.

rugk commented 7 years ago

Yes, Cloudflare is debutable considering their "HTTPS interception built-in" approach. But, no, it won't be slower… (GitHub Pages uses Fastly, BTW, AFAIK)

xuhdev commented 7 years ago

@rugk The reason for which it would be slower is because we now have two layers of CDNs.

rugk commented 7 years ago

Yeah, but Cloudflare also caches (at least optionally), so you won't notice it.

xuhdev commented 7 years ago

@treyhunner What do you think?

treyhunner commented 7 years ago

I tried this on my personal blog a some time back and ended up backing out of it due to some Cloudflare limitation and I don't remember what it was. I think it was a mix of some HTTP-only embedded content and the fact that some of my friends smart phones didn't work with the Cloudflare certificates so my blog started showing security warnings.

My thoughts are that this is not a big priority in my opinion, given that the website is currently just a single page of documentation.

rugk commented 7 years ago

My thoughts are that this is not a big priority in my opinion, given that the website is currently just a single page of documentation.

:arrow_right: https://doesmysiteneedhttps.com/

See "There's nothing sensitive on my site anyway." there.

Actually Cloudflare should work quite well (they really care about old phones and so on, not sure what your friends experienced, likely either fixed or a different issue) and I hope you have not many resources embedded on this project site, so… So as for technical issues I think you really don't need worried about Cloudflare.

xuhdev commented 6 years ago

@rugk Can you suggest a host which accept HTTPS hosting and is easily accessible to all developers? As I mentioned before, if we use CloudFlares, the point to use HTTPS is dismissed (no middleman attack). If there is no proper place for such type of hosting for open source projects, perhaps someone should start such a service?

ffes commented 6 years ago

GitLab does have support for https on custom domains, but Let's Encrypt is a bit hard to use for that because you have copy and paste the certs manually every 90 days.

xuhdev commented 6 years ago

@ffes I found this: free ssl certificate for open source projects. Do you have any experience with them?

ffes commented 6 years ago

@xuhdev No, that's new to me.

xuhdev commented 6 years ago

I have contacted GlobalSign and am waiting for their response to grant us a free certificate.

TheSeg commented 6 years ago

GitHub now allows custom domains to be served under HTTPS!

https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

ffes commented 6 years ago

@xuhdev Any change to look into this.

As described in the blog post above, the A records needs to changed for HTTPS to work. Once that is done HTTPS should work and then it can be enforced with a checkbox.

xuhdev commented 6 years ago

@ffes I did not get any response from GlobalSign. No matter what, we need a certificate, don't we?

ffes commented 6 years ago

As @TheSeg mentioned, GitHub pages supports https.

https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

xuhdev commented 6 years ago

@ffes I see, they are partnering with lets encrypt. @treyhunner Can you update the A record? Enforcing HTTPS would still be bad if we use this approach, since lets-encrypt is not widely trusted (yet).

rugk commented 6 years ago

Enforcing HTTPS would still be bad if we use this approach, since lets-encrypt is not widely trusted (yet).

They are not directly in all root cert stores, but they have a cross-signature from Identrust, which has been available quite some time (years?) before LE even started. That's why you could and can use Let's Encrypt without having to worry about old devices/browsers not being able to access your site.

In any case, TL;DR: Enable HTTPS and force it.

xuhdev commented 6 years ago

@treyhunner Can you update the A record? Thanks.

treyhunner commented 6 years ago

@xuhdev just updated the A records. It may take a little while to propagate.

ffes commented 6 years ago

I see the 4 A-records are set as described in https://help.github.com/articles/setting-up-an-apex-domain/

$ dig editorconfig.org +noall +answer

; <<>> DiG 9.10.3-P4-Ubuntu <<>> editorconfig.org +noall +answer
;; global options: +cmd
editorconfig.org.       822     IN      A       185.199.110.153
editorconfig.org.       822     IN      A       185.199.109.153
editorconfig.org.       822     IN      A       185.199.111.153
editorconfig.org.       822     IN      A       185.199.108.153

But https://editorconfig.org/ doesn't work yet. It still give a certificate error.

Do you need to set a switch somewhere to accomplice that? (I don't see a need for that in the docs)

TheSeg commented 6 years ago

@ffes Have you set the "Force HTTPS" setting? I had to do that on a different domain hosted on GitHub.

https://help.github.com/articles/securing-your-github-pages-site-with-https/

xuhdev commented 6 years ago

It says the certificate requires 24 hours to be issued. We simply have to wait.

coliff commented 6 years ago

it works now! 🎉 https://editorconfig.org/ is live! i'll open a quick PR to update a couple of places where http://editorconfig.org is referenced

coliff commented 6 years ago

Done. #92

xuhdev commented 6 years ago

Done!