New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub pages redirect from https to http #289

Open
chbrown opened this Issue Nov 6, 2014 · 14 comments

Comments

Projects
None yet
7 participants
@chbrown

chbrown commented Nov 6, 2014

GitHub pages (gh-pages) now have partial HTTPS support (see #156), at least on the github.io domain, but this support is not fully integrated into gh-pages servers.

Issue

GitHub's static pages' Varnish servers redirect some https:// URLs to http://

E.g., when the user requests a URL that points to a directory, but does not use a trailing slash (see Example section below)

Solution

The redirect's protocol should match the request's protocol.

Example

I have a gh-pages repository at https://github.com/linguistics/tls (a conference; no relation to Transport Layer Security), and URLs like the following work as expected:

However, when requesting the following URLs, they do not redirect to the page above, but to http://linguistics.github.io/tls/2014tls/

To reproduce

The results above can be confirmed in the browser or on the command line:

$ curl -s -I https://linguistics.github.io/tls/2014tls | grep Location
Location: http://linguistics.github.io/tls/2014tls/

$ curl -s -I https://linguistics.github.com/tls/2014tls/ | grep Location
Location: http://linguistics.github.io/tls/2014tls/

$ curl -s -I https://linguistics.github.com/tls/2014tls | grep Location
Location: http://linguistics.github.io/tls/2014tls

Comments

The *.github.io wildcard certificate, #156, was the hard part (thanks GitHub!). This fix should be easy.

@apatrida

This comment has been minimized.

Show comment
Hide comment
@apatrida

apatrida Dec 8, 2014

The redirect also affects when you put a CDN in front of Github pages. One URL error and you end up on the wrong site, and have to build into your pages to redirect back to the CDN in that case. But then it is hard to test on both Github pages and a live CDN at the same time. The redirect should stay on the same domain to add the trailing "/"

apatrida commented Dec 8, 2014

The redirect also affects when you put a CDN in front of Github pages. One URL error and you end up on the wrong site, and have to build into your pages to redirect back to the CDN in that case. But then it is hard to test on both Github pages and a live CDN at the same time. The redirect should stay on the same domain to add the trailing "/"

@chbrown

This comment has been minimized.

Show comment
Hide comment
@chbrown

chbrown Dec 8, 2014

That reminds me that I got a response regarding this issue from "Jamie Murai (GitHub Staff)" on 2014-11-06, which I've pasted below in its entirety:

Hi Chris,

Sorry for the trouble. We don't yet officially support HTTPS on GitHub Pages. While it works in certain situations, we don't recommend relying on it, or promoting your pages using HTTPS URLs.

That said, I'll certainly pass along your feedback to the Pages team.

Cheers,
Jamie

chbrown commented Dec 8, 2014

That reminds me that I got a response regarding this issue from "Jamie Murai (GitHub Staff)" on 2014-11-06, which I've pasted below in its entirety:

Hi Chris,

Sorry for the trouble. We don't yet officially support HTTPS on GitHub Pages. While it works in certain situations, we don't recommend relying on it, or promoting your pages using HTTPS URLs.

That said, I'll certainly pass along your feedback to the Pages team.

Cheers,
Jamie

@dentarg

This comment has been minimized.

Show comment
Hide comment
@dentarg

dentarg Feb 15, 2015

I also emailed GitHub support about this issue and received the following response 2015-02-03:

Apologies for the delay in replying. We’re looking into the issue, however GitHub Pages does not currently offer HTTPS (SSL) support. While third-party services such as CloudFlare, may in some cases be able to provide that functionality to the end user, at this time, we’re not able to offer support for these configurations.

While HTTPS requests may appear to work, our CDN provider is adding and removing the encryption at their end, and then the request is transmitted over the open internet from our CDN provider to our GitHub Pages infrastructure, creating the appearance of trustability.

This is why we do not yet officially support HTTPS for GitHub Pages. We definitely appreciate the feedback and I’ll add a +1 to this item on out internal Feature Request List.

dentarg commented Feb 15, 2015

I also emailed GitHub support about this issue and received the following response 2015-02-03:

Apologies for the delay in replying. We’re looking into the issue, however GitHub Pages does not currently offer HTTPS (SSL) support. While third-party services such as CloudFlare, may in some cases be able to provide that functionality to the end user, at this time, we’re not able to offer support for these configurations.

While HTTPS requests may appear to work, our CDN provider is adding and removing the encryption at their end, and then the request is transmitted over the open internet from our CDN provider to our GitHub Pages infrastructure, creating the appearance of trustability.

This is why we do not yet officially support HTTPS for GitHub Pages. We definitely appreciate the feedback and I’ll add a +1 to this item on out internal Feature Request List.

@z3ntu

This comment has been minimized.

Show comment
Hide comment
@z3ntu

z3ntu Jul 18, 2015

Any news yet?

z3ntu commented Jul 18, 2015

Any news yet?

@cben

This comment has been minimized.

Show comment
Hide comment
@cben

cben Jul 21, 2015

The *.github.com redirects happen for all pages, not just directories:

$ curl -s -I https://linguistics.github.com/tls/2014tls/index.html | grep Location
Location: http://linguistics.github.io/tls/2014tls/index.html

But that's pretty OK, we just shouldn't use the grandfathered .com addresses (they're also slower), use .io everywhere.
The directories on .io redirect is truly a problem.

cben commented Jul 21, 2015

The *.github.com redirects happen for all pages, not just directories:

$ curl -s -I https://linguistics.github.com/tls/2014tls/index.html | grep Location
Location: http://linguistics.github.io/tls/2014tls/index.html

But that's pretty OK, we just shouldn't use the grandfathered .com addresses (they're also slower), use .io everywhere.
The directories on .io redirect is truly a problem.

jjculber added a commit to cryptovillage/cryptovillage.github.io that referenced this issue Aug 18, 2015

talklittle added a commit to talklittle/talklittle.github.com that referenced this issue Jan 14, 2016

@RomanGotsiy

This comment has been minimized.

Show comment
Hide comment
@RomanGotsiy

RomanGotsiy May 16, 2016

It redirects files as well:

$ curl -s -I https://apis-guru.github.io/api-models/api/v1/list.json | grep Location
Location: http://apis.guru/api-models/api/v1/list.json

Does anyone know any workaround for this?

RomanGotsiy commented May 16, 2016

It redirects files as well:

$ curl -s -I https://apis-guru.github.io/api-models/api/v1/list.json | grep Location
Location: http://apis.guru/api-models/api/v1/list.json

Does anyone know any workaround for this?

@cben

This comment has been minimized.

Show comment
Hide comment
@cben

cben May 16, 2016

Ouch.
Apparently if you have a CNAME file, github now redirects all github.io to that domain, with http :-(
I'm pretty sure this is new behavior? Don't see anything on github's blog, and wayback machine on help.github.com didn't help.

The only current remedy seems to be removing the CNAME.
(in my case it's a leftover I forgot when I moved the custom domain to heroku/openshift; in any case, it doesn't make much sense to care about https on Pages and prefer a custom domain.)

https://help.github.com/articles/custom-domain-redirects-for-github-pages-sites/ does says it redirects, but apparently talks of a weird scenario where project page redirect involves the owner's user/org page's CNAME(?)
I've sent a lot of questions about that doc to github support, including whether the redirect could be suppressed when accessing github.io via https. Will report here if they answer.

cben commented May 16, 2016

Ouch.
Apparently if you have a CNAME file, github now redirects all github.io to that domain, with http :-(
I'm pretty sure this is new behavior? Don't see anything on github's blog, and wayback machine on help.github.com didn't help.

The only current remedy seems to be removing the CNAME.
(in my case it's a leftover I forgot when I moved the custom domain to heroku/openshift; in any case, it doesn't make much sense to care about https on Pages and prefer a custom domain.)

https://help.github.com/articles/custom-domain-redirects-for-github-pages-sites/ does says it redirects, but apparently talks of a weird scenario where project page redirect involves the owner's user/org page's CNAME(?)
I've sent a lot of questions about that doc to github support, including whether the redirect could be suppressed when accessing github.io via https. Will report here if they answer.

@dentarg

This comment has been minimized.

Show comment
Hide comment
@dentarg

dentarg May 17, 2016

Apparently if you have a CNAME file, github now redirects all github.io to that domain, with http :-(
I'm pretty sure this is new behavior?

It's not that new, I've seen it at least since beginning of October 2015. (Late October I created this related issue for Jekyll: jekyll/jekyll-redirect-from#81)

dentarg commented May 17, 2016

Apparently if you have a CNAME file, github now redirects all github.io to that domain, with http :-(
I'm pretty sure this is new behavior?

It's not that new, I've seen it at least since beginning of October 2015. (Late October I created this related issue for Jekyll: jekyll/jekyll-redirect-from#81)

@cben

This comment has been minimized.

Show comment
Hide comment
@cben

cben May 19, 2016

Got detailed reply; on https->http they said:

This limitation is something that is on our radar but I can't promise of or when we would implement https for custom domains or change how we manage the redirects.

cben commented May 19, 2016

Got detailed reply; on https->http they said:

This limitation is something that is on our radar but I can't promise of or when we would implement https for custom domains or change how we manage the redirects.

@dentarg

This comment has been minimized.

Show comment
Hide comment
@dentarg

dentarg Jun 14, 2016

As of June 8, 2016 GitHub has finally fixed this, https://github.com/blog/2186-https-for-github-pages :-)

dentarg commented Jun 14, 2016

As of June 8, 2016 GitHub has finally fixed this, https://github.com/blog/2186-https-for-github-pages :-)

@wchargin

This comment has been minimized.

Show comment
Hide comment
@wchargin

wchargin Sep 4, 2017

GitHub has finally fixed this

Not sure if this is a regression or it was never fully fixed, but I'm still seeing this behavior for directories:

$ curl -sI 'https://wchargin.github.io/posts/managing-dependent-pull-requests' | tee >(head -n 1) >(grep -F Location:) >/dev/null
HTTP/1.1 301 Moved Permanently
Location: http://wchargin.github.io/posts/managing-dependent-pull-requests/

@mastahyeti: You authored the original post (thanks for your work on this issue so far!). Is this a known bug?

wchargin commented Sep 4, 2017

GitHub has finally fixed this

Not sure if this is a regression or it was never fully fixed, but I'm still seeing this behavior for directories:

$ curl -sI 'https://wchargin.github.io/posts/managing-dependent-pull-requests' | tee >(head -n 1) >(grep -F Location:) >/dev/null
HTTP/1.1 301 Moved Permanently
Location: http://wchargin.github.io/posts/managing-dependent-pull-requests/

@mastahyeti: You authored the original post (thanks for your work on this issue so far!). Is this a known bug?

@z3ntu

This comment has been minimized.

Show comment
Hide comment
@z3ntu

z3ntu Sep 4, 2017

@wchargin Is the "Enforce HTTPS" checkbox ticked in the repository settings?

z3ntu commented Sep 4, 2017

@wchargin Is the "Enforce HTTPS" checkbox ticked in the repository settings?

@wchargin

This comment has been minimized.

Show comment
Hide comment
@wchargin

wchargin Sep 4, 2017

@z3ntu Yes. (It's been on approximately since that feature was released. I just toggled it off and on and it didn't change the result of the above command.)

wchargin commented Sep 4, 2017

@z3ntu Yes. (It's been on approximately since that feature was released. I just toggled it off and on and it didn't change the result of the above command.)

@cben

This comment has been minimized.

Show comment
Hide comment
@cben

cben Mar 21, 2018

This still happens, both on github.io with Enforce HTTPS on and custom domains with Enforce HTTPS on (the latter are a new thing, possibly still in rollout):

$ curl -IL https://spacem.github.io/dngearsim/builds/index.html
HTTP/2 200
$ curl -IL https://spacem.github.io/dngearsim/builds/
HTTP/2 200 (✔️ no redirect given trailing slash)
$ curl -IL https://spacem.github.io/dngearsim/builds
HTTP/2 301
location: http://spacem.github.io/dngearsim/builds/
HTTP/1.1 301 Moved Permanently
Location: https://spacem.github.io/dngearsim/builds/
HTTP/2 200

$ curl -IL https://github-cben-sandbox.anat-beni.net/figures/index.html
HTTP/2 404 (✔️ I don't have index.html there)
$ curl -IL https://github-cben-sandbox.anat-beni.net/figures/
HTTP/2 404 (✔️ no redirect given trailing slash)
$ curl -IL https://github-cben-sandbox.anat-beni.net/figures
HTTP/2 301
location: http://github-cben-sandbox.anat-beni.net/figures/
HTTP/1.1 301 Moved Permanently
Location: https://github-cben-sandbox.anat-beni.net/figures/
HTTP/2 404

EDIT: I see same redirects to insecure http:// whether initial request is over --http2 and --http1.1.

Browsers correctly block such requests as mixed content when originated from https pages. The fix is adding the trailing slash.

cben commented Mar 21, 2018

This still happens, both on github.io with Enforce HTTPS on and custom domains with Enforce HTTPS on (the latter are a new thing, possibly still in rollout):

$ curl -IL https://spacem.github.io/dngearsim/builds/index.html
HTTP/2 200
$ curl -IL https://spacem.github.io/dngearsim/builds/
HTTP/2 200 (✔️ no redirect given trailing slash)
$ curl -IL https://spacem.github.io/dngearsim/builds
HTTP/2 301
location: http://spacem.github.io/dngearsim/builds/
HTTP/1.1 301 Moved Permanently
Location: https://spacem.github.io/dngearsim/builds/
HTTP/2 200

$ curl -IL https://github-cben-sandbox.anat-beni.net/figures/index.html
HTTP/2 404 (✔️ I don't have index.html there)
$ curl -IL https://github-cben-sandbox.anat-beni.net/figures/
HTTP/2 404 (✔️ no redirect given trailing slash)
$ curl -IL https://github-cben-sandbox.anat-beni.net/figures
HTTP/2 301
location: http://github-cben-sandbox.anat-beni.net/figures/
HTTP/1.1 301 Moved Permanently
Location: https://github-cben-sandbox.anat-beni.net/figures/
HTTP/2 404

EDIT: I see same redirects to insecure http:// whether initial request is over --http2 and --http1.1.

Browsers correctly block such requests as mixed content when originated from https pages. The fix is adding the trailing slash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment