Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SSL so hidden services work better! #385

Closed
aphick opened this issue Nov 14, 2021 · 4 comments
Closed

Fix SSL so hidden services work better! #385

aphick opened this issue Nov 14, 2021 · 4 comments

Comments

@aphick
Copy link

aphick commented Nov 14, 2021

I've run in to two issues with giving my amusewiki instance an onion address.

First, the automatic renewal for SSL fails because it tries to generate/renew a certificate for the .onion address. Will likely need to filter out those addresses and it might be worth adding .i2p or other hidden service extensions to the list in case people want to use those.
Second, I think actions that involve authentication (contributing pages and logging in) only operate over HTTPS, and are thus unreachable from hidden service because they do not need https. The login button prepends "https" before the url <form id="login-form" method="post" action="https://example.onion/action/text/new"> and the /login page will not load.
melmothx added a commit that referenced this issue Nov 20, 2021
@melmothx
Exclude pseudo top level domains from Let's Encrypt
18cc073 
Address #385
@melmothx
Copy link
Owner

melmothx commented Nov 20, 2021 via email

@aphick
Copy link
Author

aphick commented Nov 21, 2021
edited
Loading

Ok, this has been addressed in 18cc073 and should be OK (excluding
.onion, .i2p and .exit).

Thanks!

Well, this is fishy. Make sure to have all the 3 SSL configuration
options in the site configuration unchecked. A redirect to the https
version should happen only if the "Use SSL for authenticated users" is
on. Matter of fact, for developing locally amusewiki runs over http://
just fine.

The trouble is, deselecting "Use SSL for authenticated users" disables SSL completely, and I don't want that. Ideally we would serve both http, and https,without any redirects.

melmothx added a commit that referenced this issue Nov 21, 2021
@melmothx
Always provide an https site
414c4cd 
It's 2021 and the traffic is supposed to go via https, so always
produce a confing with https, even if using the dummy self-signed
certificate.

This way we keep the semantic of the configuration option "Use SSL for
authenticated users" without disabling https at all.

Address #385
@melmothx
Copy link
Owner

Release 2.531 should have addressed that. Please give it a try and close the issue if it's good.

Thanks

@aphick
Copy link
Author

aphick commented Nov 22, 2021

That works now, thanks a bunch @melmothx !

@aphick aphick closed this as completed Nov 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@melmothx @aphick