> On 20 Jul 2017, at 07:40, Rasmus Lerdorf <ras...@lerdorf.com> wrote: > >> On Wed, Jul 19, 2017 at 1:42 PM, Niklas Keller <m...@kelunik.com> wrote: >> >> >> We should really change that and fully move to HTTPS. >> > > I have looked at various ways of doing this, but it isn't trivial and it > has absolutely nothing to do with the actual html and slapping in some > https links instead of http. The problem here is that we have external > volunteers running all our mirrors and we do geo-dns for www.php.net to > your geographically close mirror site. Putting the private key for > www.php.net on dozens of servers around the world we don't control is a > non-starter. > > One way that I played with was to use letsencrypt and have each mirror > request an ssl cert for their local mirror, ca1.php.net, for example, and > include a CN alias for www.php.net in that request. Then we would run > domain a validation gateway/proxy on www.php.net which would validate these > requests on behalf of the mirrors. But there are some security issues with > this approach that I haven't quite thought through. I would love to hear > suggestions for perhaps a simpler solution to this problem that doesn't > require pasting our private key all over the internet. > > -Rasmus
Hey Rasmus, Does it need to be geo-dns, or could it instead be "geo-http" - a small number of servers responding to (www.)?php.net, which then respond with http redirects based on client ip. This is similar to how Debians "new" mirror service works for apt repos. I know it would be very nice to have the URLs stay as php.net (no CCn. Prefix) but anything else simple is going to involve tls certs for the base domain on servers the project doesn't control. The only other option I can see, would be to use "keyless" tls. It's described pretty well by CF here: https://www.cloudflare.com/ssl/keyless-ssl/ Unfortunately I don't know that cf have open sourced their nginx&openssl patches to make them talk to a remote key server. Happy to discuss this further if I can help. Cheers Stephen
