New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove CNAME to avoid HTTP hops #32

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@claudijd
Contributor

claudijd commented Mar 2, 2018

This simply prevents the HTTP-based 302 in an otherwise HTTPS only setup.

$ curl -i https://rubygems.github.io
HTTP/1.1 301 Moved Permanently
Server: GitHub.com
Content-Type: text/html
Location: http://blog.rubygems.org/

By removing the CNAME, we'll get a valid HTTPS response on this origin without the redirect.

This PR is predicated on the assumption that Fastly is set to use https://rubygems.github.io as the origin source for http[s]?://blog.rubygems.org.

@claudijd claudijd requested a review from dwradcliffe Mar 2, 2018

@indirect

This comment has been minimized.

Member

indirect commented Mar 2, 2018

We will also need to change the Fastly config for this to work. When I tried doing this two days ago, GitHub started serving 404s to Fastly on requests for blog.rubygems.org: 97bc448

@claudijd

This comment has been minimized.

Contributor

claudijd commented Mar 2, 2018

I'm going to assume that the above 404 behavior was a temporary state and due to DNS/CDN caches not fully expiring yet...

Fastly was pointed to https://rubygems.github.io as origin. However, if you had a cached response from Fastly for the 302 to http://blog.rubygems.org, then you might also need to have Fastly expire the cache on the 302 or it would continue to fail because DNS cache for blog.rubygems.org still pointed at GitHub servers and because of the lack of a CNAME at that specifc time window that would explain 404s from github for a domain it no longer has a VHOST mapping for.

@indirect

This comment has been minimized.

Member

indirect commented Mar 2, 2018

FWIW, we do in fact force SSL between Fastly and the origin:

@claudijd

This comment has been minimized.

Contributor

claudijd commented Mar 3, 2018

@indirect and I jumped on Fastly config and learned that Fastly acts a little different than CloudFront in that it preserves the original requests Host header and carries it through. Because of this we would need to add what Fastly calls an "Override host" to force the Fastly to GitHub Pages to be overridden from "blog.rubygems.org" to the true host header of the origin "rubygems.github.io" and then we could nuke the CNAME file.

All that said, we're likely just going to hang in the current state until we can jump on GitHub pages beta for HTTPS, which we expect to be able to try out soon.

@claudijd claudijd closed this Mar 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment