Readthedocs.org: HSTS for pyopenssl and cryptography!
Moving the conversation from https://github.com/readthedocs/readthedocs.org/pull/6953
The current status is that we have HSTS with max-age=3600 for www.pyopenssl.org. I think the remaining steps are:
- [x]
includeSubDomainsfor pyOpenSSL - [x]
preloadfor pyOpenSSL - [x] Increase
max-agefor pyOpenSSL - [x] Figure out how to make this work with the apex (this is on the pyca folks!)
I believe the first three can be done by RTD folks without the pyca involvement, and the last one is entirely on the pyca side.
And then for cryptography:
- [x] Remove the reverse proxy we're running and point DNS directly at RTD (this is on the pyca folks!)
- [x] Enable HSTS with the various flags and doodads on the RTD side
This one requires us to make changes on the pyca side first.
alex
All 16 comments
cc: @hynek @reaperhulk
alex
on 29 Apr 2020
I'm ready to do 1 and 2 if y'all are ready for it ๐
ericholscher
on 29 Apr 2020
Ready! (Much โค๏ธ to the RTD team!)
alex
on 29 Apr 2020
Great. We can confirm that RTD is doing the right thing by using these commands:
curl -k -IL --resolve '*:80:104.208.221.96' --resolve '*:443:104.208.221.96' www.pyopenssl.org
curl -k -IL --resolve '*:80:104.208.221.96' --resolve '*:443:104.208.221.96' cryptography.io
I have enabled the proper SSL settings on both domains. Both should be Strict-Transport-Security: max-age=3600; includeSubDomains; preload currently.
ericholscher
on 29 Apr 2020
I believe we're not meant to be returning HSTS on HTTP requests, which we should fix at some point, but everything else looks ๐
ericholscher
on 29 Apr 2020
Confirmed! I think the next steps are on the pyca side to disable our reverse proxy, and then we can look at increasing the max-age! Thanks much!
alex
on 29 Apr 2020
Ok, this all seems to be working!
We're ready to increase max-age for both of these when you are!
alex
on 29 Apr 2020
Great, what would you like to increase them to?
ericholscher
on 29 Apr 2020
Let's do 604800 (one week) for now, and assuming nothing breaks in the next week, we can jump to 31557600 (one year) and declare this complete.
Thanks again so much!
alex
on 29 Apr 2020
Great, this should now be shipped. It will update when the cache clears on the next build or a few hours in time, or you can always use GET args to confirm:
-> curl -s -IL https://www.pyopenssl.org/en/stable/?foo |grep max-age
strict-transport-security: max-age=604800; includeSubDomains; preload
Figure out how to make this work with the apex
We updated our custom domain docs for root domains. If you can setup an ANAME or ALIAS record, it should "just work".
davidfischer
on 1 May 2020
Can we get HSTS set for pyopenssl.org (the apex of that domain)? I think that's our last thing.
alex
on 3 May 2020
Should be done ๐
ericholscher
on 4 May 2020
@alex anything else here? I think we just need a large HSTS value and then we can call it done?
ericholscher
on 12 May 2020
Yup, if you can bump to the one year level for all the domains here we can
close this out. Thanks again for all this!
On Mon, May 11, 2020 at 9:28 PM Eric Holscher notifications@github.com
wrote:
@alex https://github.com/alex anything else here? I think we just need
a large HSTS value and then we can call it done?โ
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/readthedocs/readthedocs.org/issues/6984#issuecomment-627053964,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAAGBDM3KTVCANUYDUK24LRRCQ4RANCNFSM4MTICVRA
.
--
All that is necessary for evil to succeed is for good people to do nothing.
alex
on 12 May 2020
Great, these have been updated. Closing this out, thanks for testing it with us! ๐
ericholscher
on 12 May 2020
Related issues
cagataycali
ยท
4Comments
dxgldotorg
ยท
3Comments
JiaweiZhuang
ยท
3Comments
krzychb
ยท
4Comments
PowerKiKi
ยท
4Comments
Most helpful comment
Great, this should now be shipped. It will update when the cache clears on the next build or a few hours in time, or you can always use GET args to confirm: