www.srihash.org doesn't redirect to HTTPS when srihash.org (no www) does

[freddyb]

STR

• curl -I srihash.org
• curl -I www.srihash.org

Not sure how redirection is currently configured. Seems like this isn't in the repo.

[fmarier]

Not sure how redirection is currently configured. Seems like this isn't in the repo.

I have no idea either. There's a lot of magic I don't understand in this Heroku setup.

[XhmikosR]

Can't we get rid of the www redirect altogether?

[fmarier]

Can't we get rid of the www redirect altogether?

What do you mean by that?

www.srihash.org doesn't redirect to anything at the moment and that's the problem. It just serves the page regardless of the scheme.

We could (in theory, still requires digging into the Heroku config) stop serving anything on www.srihash.org but that's seems less than ideal from a usability point of view.

[XhmikosR]

It seems you want the opposite from what I had in mind, i.e. serve from www.

So can't you just get rid of all redirects in Heroku and we'll handle them via HAPI?

[fmarier]

So can't you just get rid of all redirects in Heroku and we'll handle them via HAPI?

Not sure, I filed a bug for this though.

[XhmikosR]

On a side note, we set all the headers for all file types which is redundant to say the least. I'll try to make a PR tomorrow for that.

[XhmikosR]

The redirect chain currently is this:

C:\Users\XhmikosR\Desktop>curl -ILl srihash.org
HTTP/1.1 307 Temporary Redirect
Server: Apache
X-Backend-Server: generic1.webapp.phx1.mozilla.com
Cache-Control: max-age=600
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 12 Nov 2017 22:29:00 GMT
Location: https://srihash.org/
Transfer-Encoding: chunked
Connection: Keep-Alive
X-Cache-Info: not cacheable; response code not cacheable

HTTP/2 301
server: Apache
x-backend-server: generic5.webapp.phx1.mozilla.com
cache-control: max-age=600
content-type: text/html; charset=iso-8859-1
strict-transport-security: max-age=15768000
date: Sun, 12 Nov 2017 22:29:01 GMT
location: https://www.srihash.org/
accept-ranges: bytes
x-cache-info: caching

HTTP/1.1 200 OK
Server: Cowboy
Connection: keep-alive
Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self' ; frame-src 'self'
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Download-Options: noopen
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 4016
Vary: accept-encoding
Date: Sun, 12 Nov 2017 22:29:04 GMT
Via: 1.1 vegur

Now, as you can see, the first redirect isn't a 301 one.

BTW this issue seems "fixed" but personally I'd still like to have a 301 redirect :)

[fmarier]

Ideally, we'd change the http://srihash.org to https://srihash.org redirect from a 307 to a 301, but more importantly, http://www.srihash.org doesn't redirect to https://www.srihash.org at all.

[XhmikosR]

I believe it needs a certificate too that is why it doesn't redirect. Should be easy to set up though.

[XhmikosR]

@fmarier: can you add an environment variable in AWS so that we do the redirect only for production?

We could then use https://www.npmjs.com/package/hapi-require-https

Or Heroku, not sure what you are using.

[mozfreddyb]

With the way we resolved #243, we only need to ensure we redirect from HTTP to HTTPS on the www.srihash.org domain. This needs to happen in hapi. Let's discuss in #184 instead of here.

[XhmikosR]

This is still an issue, unfortunately. I couldn't make #184 or #283 work, so we need some help here.

[freddyb]

Ugh. Reminder (mostly for myself):

• srihash.org is my personal hosting, just redirecting to HTTPS + www on heroku
• www.srihash.org is heroku, which is controlled by this repo

Heroku exposes protocol information to the dyno through a custom HTTP header.
Quoting their help page:

Under the hood, Heroku router (over)writes the X-Forwarded-Proto and the X-Forwarded-Port request headers. The app must check X-Forwarded-Proto and respond with a redirect response when it is not https but http.

[mozfreddyb]

this should finally work