notshi
commented
3 years ago Looks like we'll need access to the DNS settings for this to work so it'll be something we'll need to coordinate with @andylolz?
Open notshi opened 3 years ago
notshi
commented
3 years ago Looks like we'll need access to the DNS settings for this to work so it'll be something we'll need to coordinate with @andylolz?
andylolz
commented
3 years ago Sure yes, let me know what you need
stevieflow
commented
1 month ago Hi @notshi @xriss could we now resolve this by moving d-preview to be a sub-domain of https://d-portal.org/ - so preview.d-portal.org ?
Thanks
xriss
commented
1 month ago moving to d-portal.org doesn't change anything, we still have the same problem on subdomains ( eg https://test.d-portal.org does not have a cert)
maybe it is best if I stop using randomly generated subdomains since at least lets encrypt has auto updates and no possibility of expiring from forgetting to pay/update even if we did get a wildcard cert.
stevieflow
commented
1 month ago Thanks @xriss
ok - let's move to d-portal.org first
From https://github.com/notshi/d-preview/issues/16#issuecomment-788002910
https://letsencrypt.org/docs/faq/#does-let-s-encrypt-issue-wildcard-certificates
I thought that we could encrypt subdomains (at least in terms of where code4iati domain was hosted?
xriss
commented
1 month ago Sure we can move, since its quite a small bandwidth cost I think I can do it by proxying from d-portal nginx without having to mess with any more dns settings. Let me see how that goes...
The problem here isnt subdomains, it is auto generated unique subdomains for every uploaded file, works great with http but https has "security" reasons for not allowing you to automate this, basically it puts hurdles in the way and even if you pass them they represent things that can easily go wrong in the future so I would rather avoid them than deal with them.
stevieflow
commented
1 month ago @xriss ah ok - got it
Would things be any less "guessable" or scalable if the hash were after the domain, instead of a sub-domain?
xriss
commented
1 month ago Oh the security is nothing to do with us, the reason wildcard domains are so difficult is not for our benefit it is a browser security thing presumably to stop us from setting up phishing domains.
I think the hash as the first directory already works, but, when doing it this way round it is easy to accidentally have links out of this sandbox and up into root of the domain. Need to go through all the code and make sure that never happens before we can reliably use it.
https://letsencrypt.org/docs/faq/#does-let-s-encrypt-issue-wildcard-certificates