Den ons 20 jan. 2021 kl 16:57 skrev Daniel Shahaf <d...@daniel.shahaf.name>:
> Daniel Sahlberg wrote on Wed, 20 Jan 2021 07:12 +00:00: > > Den ons 20 jan. 2021 kl 00:16 skrev Nathan Hartman < > hartman.nat...@gmail.com>: > > > On Mon, Jan 18, 2021 at 4:17 AM Daniel Sahlberg > > > <daniel.l.sahlb...@gmail.com> wrote: > > > > * No SSL at the moment. I suggest to install certbot and a Let's > encrypt certificate. (Should renewal notices go to dev@?) > > > > > > Is there any sensitive information in them? If yes, private@, if not, > > > dev@ should be fine. > > > > Don't think there should be anything sensitive, worst case is probably > > "Your site's certificate has not been updated and is now EOL, you need > > to update". I've put it to dev@ and we might reconsider later on. > > I see you used CN=svn-haxx.apache.org on the certificate. > > Please run this by Infra. It's conceivable that having a *.apache.org > site that _doesn't_ use the wildcard cert might impact the wildcard's > reputation in some way (e.g., break certificate pinning rules in > plugins such as HTTPS Everywhere). > > [We aren't going to get a copy of the wildcard cert on a PMC VM, but > Infra might do an SSL-terminating reverse proxy for us from a box > they control.] > I removed svn-haxx.a.o from the certificate. Also modified the server setup to redirect any requests for http://svn-haxx.apache.org to https://svn.haxx.se. Only problem now is if someone tries to access https://svn-haxx.apache.org, it will give a certificate warning. I don't really see how we can avoid it without having svn-haxx.a.o in the certificate. (We can't redirect the svn-haxx.a.o DNS entry to another box since the whole purpose of that entry is to be a CNAME target). Anyhow, nobody should be browsing that URL anyway, it shouldn't exist anywhere except in a few mails in dev@. Second, I'm not happy about setting the address to dev@, for several > reasons. One, it's not development-related traffic. Two, IIRC in Let's > Encrypt the email address given is the "owner's" address, so if LE ever > need to contact the PMC for whatever reason, automated or otherwise, > that's the address they'd use. Such traffic should go to private@. > > I'm aware you aren't on that list, Daniel. We'll just have to loop > you in on relevant threads. That would mirror the ACL configuration > (for /repos/private/pmc/subversion/machines, and, IIRC, Infra's puppet > repos too). > Switched to private@ Kind regards, Daniel
