[ndbug] R.I.P. http, hello https
N.J. Thomas
njt at ayvali.org
Wed Aug 9 14:51:54 PDT 2017
hi all,
Just as an fyi, I converted the site and the Mailman subscription page
to https (thank you LetsEncrypt!) right now.
I probably should have done this earlier, but better late than never.
I added Apache redirects for everything, so you shouldn't see any
difference at all (if you go to any http page, it will redirect you to
https).
FWIW, if anyone cares, the Apache setup was straightforward. I made sure
Apache was listening on 443 in addition to 80:
Listen 443
I turned on the SSL module, by uncommenting this line:
LoadModule ssl_module libexec/apache24/mod_ssl.so
I converted my port 80 VirtualHost entries into port 443 VirtualHost entries
and added these lines to the stanza:
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/Includes/certs/example.org/cert.pem
SSLCertificateKeyFile /usr/local/etc/apache24/Includes/certs/example.org/privkey.pem
SSLCertificateChainFile /usr/local/etc/apache24/Includes/certs/example.org/chain.pem
(/usr/local/etc/apache24/Includes/certs/example.org is just a symlink to
/usr/local/etc/letsencrypt/live/example.org)
And then I updated all references to http (I had some redirects that
converted www.ndbug.in to ndbug.in) to https.
I turned my port 80 VirtualHost entries into small redirects:
<VirtualHost *:80>
ServerName "example.org"
ServerAlias "www.example.org"
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule /(.*) https://example.org/$1 [R,L]
</VirtualHost>
Mailman required some more voodoo. I needed to add the following to
mm_cfg.py:
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
And then for every list, I needed to run:
/usr/local/mailman/bin/withlist -l -r fix_url [listname] -u [list_domain]
I used certbot to get the LetsEncrypt certs (I know there are other,
better, clients out there, I just used this one because it was in
ports).
Let me know if you see any weirdness:
https://ndbug.in/
Thomas
More information about the talk
mailing list