Dev: Use different domains for development, since `readthedocs.io` is HSTS and redirects to HTTPS

readthedocs / readthedocs.org

The source code that powers readthedocs.org

https://readthedocs.org/

MIT License

8.05k stars 3.59k forks source link

Dev: Use different domains for development, since `readthedocs.io` is HSTS and redirects to HTTPS #9310

Closed ericholscher closed 2 years ago

ericholscher commented 2 years ago

We currently are using similar domains as in production for local development. docs.dev.readthedocs.io:8000 for example, but because we've added readthedocs.io to HSTS lists, browsers generally won't let you load the domain with a non-SSL request. This causes weird development issues.

We are currently using a few different domains in dev:

dev.readthedocs.org
dev.readthedocs.io
dev.readthedocs.build

This is to match our production setup, but we'll need to discuss a bit more what we want to use. A couple options we have are:

readthedocs.net
verbthenouns.com & verbthenouns.org
rtfd.org & rtfd.io

We could also register a specific set of domains for this if we wanted to try and keep matching the TLD's, but not have the HSTS issues. (eg devthedocs.org/io/build).

Implementation

This change would require an update in a few places:

Docker dev configuration nginx & settings
Documentation for dev setup
DNS to point to 127.0.0.1 on dev.$domain

davidfischer commented 2 years ago

Just a couple notes:

readthedocs.io has the HSTS header set (strict-transport-security: max-age=31536000; includeSubDomains; preload). Despite the preload directive, it is not preloaded (https://hstspreload.org/).
When selecting a "dev domain", make sure the domain isn't preloaded. Some TLDs like .dev and .app require HTTPS for the whole domain. They're preloaded.
.readthedocs.io is a public suffix (https://publicsuffix.org/). This means some browsers apply isolation since they understand that subdomain1.domain.tld is probably run by a different entity than subdomain2.domain.tld.

I think dev.readthedocs.net and dev.readthedocs.build are great choices. I would advise against using rtfd.org or rtfd.io as these are used for production redirects.

humitos commented 2 years ago

I think dev.readthedocs.net and dev.readthedocs.build are great choices. I would advise against using rtfd.org or rtfd.io as these are used for production redirects.

dev.readthedocs.net looks good to me. However, readthedocs.build is used in production for the external versions, so I think we shouldn't use that one.

ericholscher commented 2 years ago

I've gone ahead and registered:

devthedocs.com
devthedocs.org

I think we should be able to make these work, and just keep all the dev work on the same domain. I'd propose matching production as much as possible. I've also setup the DNS to point all requests to 127.0.0.1. I've put together a basic PR that swaps things over.

I'm going to unassign myself from this card since it's not blocked on me anymore, and remove it from a sprint since it's a "nice to have" medium-term feature if anyone wants to jump on finishing it.

humitos commented 2 years ago

I understand this is already done. @ericholscher Is any actionable missing here?

stsewd commented 2 years ago

I think we are missing changing the readthedocs-corporate repo.

agjohnson commented 2 years ago

Bumping this up to our next sprint so we don't have configuration disparity between community/commercial.