Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP->HTTPS 302 redirect missing #21

Open
kees opened this issue Jul 6, 2020 · 4 comments
Open

HTTP->HTTPS 302 redirect missing #21

kees opened this issue Jul 6, 2020 · 4 comments

Comments

@kees
Copy link

kees commented Jul 6, 2020

That's right, good catch. A simple way to reproduce the issue is with curl:

$ curl -I http://kernelci.org
HTTP/1.1 200 OK
Server: nginx

This should return a 302 instead to redirect to the HTTPS URL. I believe most browsers already do that by themselves, by checking if there is a HTTPS URL available since I've never seen the issue on Firefox or Chromium.

I believe this needs to be fixed in https://github.com/kernelci/kernelci-frontend-config where the nginx config files are.

Originally posted by @gctucker in kernelci/kernelci-frontend#120 (comment)
@gctucker
Copy link
Contributor

Actually I know why we have this problem, the nginx config was changed to allow HTTP for Let's Encrypt certification renewal. The certbot needs to access a plain HTTP location to verify the domain name. So the fix for that is to redirect everything to HTTPS except the specific URL used for certbot - so just a bit of nginx config magic.

@kees
Copy link
Author

kees commented Jul 15, 2020

I think something like this should work? (untested)

server {
    listen  80;     
    server_name     kernelci.org;
    server_tokens   off;

    root /var/www/letsencrypt;

    location /.well-known {
        try_files $uri $uri/ =404;
    }

    location / {
        return 302 https://$host$request_uri;
    }
}

@inakimalerba
Copy link

@kees solution works, and it's what I used to use on my servers before switching to DNS-01.

DNS-01 is a way simpler and better method to renew the certificates, as it doesn't need to accept http trafic at all.
https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

@gctucker
Copy link
Contributor

gctucker commented Oct 12, 2020
edited
Loading

Thanks, using this now on staging based on @kees' solution:

server {
    listen *;
    listen [::];
    server_name api.staging.kernelci.org;

    location /.well-known {
        root /usr/share/nginx/html/$host/;
        try_files $uri $uri/ =404;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

We should get it merged in the Ansible config for all hosts and deployed on production in the next update.

Thanks also @inakimalerba for the tip, we'll also take a look to see if we can simplify the cert renewal process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kees @inakimalerba @gctucker