chore(nginx): updated nodejs.org configuration

[ovflowd]

This PR introduces several Nginx changes that simplify the current configuration and fix current bugs.

Configuration changes

• Merge HTTP and HTTPS server blocks for redirects
• Removes non-needed configuration from the default nodejs.org:80 server block
• Removes the nodejs.org:80 redirect to nodejs.org:443 server block in favor of a return 301 rule
• Removes legacy rules such as (/blog redirecting to blog.nodejs.org), which could cause a "too many redirects" error
• Fixes the blog.nodejs.org:80 configuration which caused "too many redirects" and was broken
• Removed broken server rules such as the newsletter.nodejs.org
• Fixed broken foundation.nodejs.org location rules to the respective links of openjsf.org:443
• Reorganised the file (first both 80/443 ports for nodejs.org then all the extras)
• Added @todo's for the upcoming Next.js rewrite of nodejs.org

[ovflowd]

cc @nodejs/build @Trott @bnb @joesepi

[ovflowd]

cc @richardlau

[ovflowd]

@UlisesGascon could you also give an eye here 👀

[richardlau]

I've deployed this onto the server. I'm not feeling too well this week, so if anything looks wrong with these changes I'm likely to just back them out rather than try to troubleshoot.

[nschonni]

This appears to now redirecting http://unencrypted.nodejs.org/ traffic to HTTPS, where it's supposed to be a breakout for that traffic

[nschonni]

This no longer works/is being served

[ovflowd]

This file doesn't really exist. This rewrite can probably be deleted as this file is not being served anymore.

[nschonni]

It did in that location before, and is now located https://github.com/nodejs/nodejs.org/blob/main/public/security.txt

[ovflowd]

No, I think you're confusing things. There was never a well-known/security.txt (https://github.com/nodejs/nodejs.org/tree/fb666ed663e4d0511beced38cf9505a688bde898/static) (ref before next migration).

Or are you trying to say that /.well-known/security.txt should redirect to /security.txt?

[ovflowd]

Oh, I see what you're talking about. Let me make a PR.

[nschonni]

This redirect was serving the file in static/security.txt through the .well-known address, which is per it's spec https://securitytxt.org/

[ovflowd]

#3225

[ovflowd]

This redirect was serving the file in static/security.txt through the .well-known address, which is per it's spec securitytxt.org

Aware of that spec, my bad, I just switched these two 👀

[ovflowd]

I don't see any configuration for unecrypted.nodejs.org. (Whatever that was, it was not changed)

[nschonni]

There wasn't a specific config, but there wasn't a global HTTP to HTTPS rewrite rule before, which supported that old endpoint

[ovflowd]

Is there any reason we should support unencrypted.nodejs.org?

There wasn't a global rewrite, yes, but pretty much all the "meaningful" routes were being redirected to https. Which made sense to do a global redirect.

[nschonni]

It is there to support clients like NVM that need it for old platforms I believe, but maybe @ljharb can confirm.
It shouldn't be broken/dropped without a discussion with the TSC though

[ovflowd]

It is there to support clients like NVM that need it for old platforms I believe, but maybe @ljharb can confirm.
It shouldn't be broken/dropped without a discussion with the TSC though

Then it is working fine. Because it will not redirect for the /dist stuff :)

[nschonni]

No, it is breaking the dist

C:\Users\nick_>curl http://unencrypted.nodejs.org/dist/v0.1.27/SHASUMS256.txt
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

C:\Users\nick_>curl https://unencrypted.nodejs.org/dist/v0.1.27/SHASUMS256.txt
1f83401b9ede7558350e183fc4386234a803d1253e7fe99bce0aba7138270806  node-v0.1.27.tar.gz

[ovflowd]

@nschonni that's not how the unencrypted.nodejs.org apparentlya works. This is a valid URL curl -v http://unencrypted.nodejs.org/download/release/node-v0.6.5.tar.gz

If you curl -v http://unencrypted.nodejs.org, it gives you an HTML welcome page, and then I navigated over it. This URL seems to be served somewhere else, as the IP address is neither CloudFlare nor the server where nodejs.org is residing 🤔

[ovflowd]

Also curl -v http://unencrypted.nodejs.org/download/release/v19.8.1/ seems to be what would be curl -v https://nodejs.org/dist/v19.8.1/. Does this answer your questions?

[BethGriggs]

It shouldn't be broken/dropped without a discussion with the TSC though

There was some discussion in #2857 about unencrypted.nodejs.org, where we enabled HSTS.

[ljharb]

unless http traffic redirects to unencrypted, nvm doesn’t use it.

That said, it still seems important to preserve an http escape hatch.

[richardlau]

For a long time http://unencrypted.nodejs.org's landing page had a warning that it was to be sunset on 1 January 2022 (last year). #2857 (comment). My opinion is that it's not worth spending time resurrecting it.

[ovflowd]

If it was supposed to be sunset them we should sunset it 🤔