#4670 move planet.fedoraproject.org to fedoraplanet.org
Closed: Fixed None Opened 9 years ago by till.

= problem =

planet.fedoraproject.org cannot be securely made https only, since it needs to include content from blogs. This makes it impossible to use HSTS for all systems in fedoraproject.org

= analysis =

Including content from other systems is always dangerous and might not be a good idea for other reasons.

= enhancement recommendation =

introduce fedoraplanet.org and redirect planet.fpo to it.


Hi Tyll,

I am not sure to understand how fedoraplanet.org resolves the situation described in the problem and analysis sections.
fedoraplanet.org will have the same problem and will also not be able to be https, no?

Replying to [comment:1 pingou]:

I am not sure to understand how fedoraplanet.org resolves the situation described in the problem and analysis sections.
fedoraplanet.org will have the same problem and will also not be able to be https, no?

yes, fedoraplanet.org will not be able to use https properly. But if it is moved outside the .fedoraproject.org domain, we can use strict transport security to make everything in *.fedoraproject.org use always HTTPS (some other hosts need to be updated as well), but for fedoraplanet, there I do not see a sane way to do this inside fedoraproject.org.

I do not really know how our planet works exactly (because I did not have to look under its hood so far), but couldn't be an extended setup with Apache or nginx as reverse proxy do the job? That would indeed require fetching (and caching) the content of the posts.

Why don't we disable HTTPS on planet? It doesn't seem like a useful feature considering the whole site breaks when it is accessed through HTTPS. A large amount of the scripts aren't loaded through SSL, so the layout breaks down. If we can get this fixed, we may be able to keep SSL enabled without causing issues.

A plausible solution would be to either change the script paths to use relative path, or to redirect HTTPS to HTTP.

Replying to [comment:3 robert]:

I do not really know how our planet works exactly (because I did not have to look under its hood so far), but couldn't be an extended setup with Apache or nginx as reverse proxy do the job? That would indeed require fetching (and caching) the content of the posts.

This can easily lead to other vulnerabilities such as cross-site scripting or making it a proxy for everyone to use.

Replying to [comment:4 cydrobolt]:

Why don't we disable HTTPS on planet? It doesn't seem like a useful feature considering the whole site breaks when it is accessed through HTTPS. A large amount of the scripts aren't loaded through SSL, so the layout breaks down. If we can get this fixed, we may be able to keep SSL enabled without causing issues.

If we move planet to its own domain, we can disable HTTPS without any negative impact on .fedoraproject.org, which is why I suggested this. The big picture is to get everything on .fpo use HTTPS by default, even any unknown, future hostname so browsers just do the right thing (see ticket:2888)

We talked about this in today's infra meeting.

No one had objections to this plan, so we will move forward with it.

If someone would like to craft a patch to do the redirects to the new domain that would be great.

Replying to [comment:7 kevin]:

If someone would like to craft a patch to do the redirects to the new domain that would be great.

Just to make sure we are all on the same page, the redirects need to go to http://fedoraplanet.org, even if https://planet.fedoraproject.org was accessed, because eventually everyone will only be able to access planet.fpo via https. Therefore it might also be a good idea to not https enable fedoraplanet.org at all, especially since it does not properly work as well.

We now have the domain setup in dns.

Here is my proposal to move this forward, I hope the new apache config is correct.

We first need to move people over to ansible.

It's still in puppet right now. we need to get it migrated over and moved to rhel7.

Since people is now migrated, I rebased the patch to the current ansible master branch.

overall looks ok, but did we also want to provide a redirect? Otherwise folks might not know about the change.

Also we will want to announce this in advance of the change.

I think perhaps later next week might be a good time to do this? This week is very busy...

Replying to [comment:14 kevin]:

overall looks ok, but did we also want to provide a redirect? Otherwise folks might not know about the change.

The way I understand {{{roles/planet/files/planet.conf}}}, there should be a redirect from planet.fpo to fedoraplanet both for :443 and :80 with the patch.

Also we will want to announce this in advance of the change.

Is it necessary to do this in advance? If the redirect works, then the old URLs continue to work, therefore an announcement when it is done should be ok as well afaics.

I think perhaps later next week might be a good time to do this? This week is very busy...

it is ok with me.

Ah, I see I missed the redirect. ;)

I guess we don't need to announce it ahead of time as long as we don't break it. Of course we will want people to update their config eventually.

So, we are now in freeze, but lucky for us, people isn't frozen. The redirect will affect proxies tho, so it needs a freeze break.

How about we do this friday? 2015-07-31? if we can get a freeze break...

Replying to [comment:16 kevin]:

How about we do this friday? 2015-07-31? if we can get a freeze break...

sounds good.

This should be complete now.

Thanks for all the work on this till.

Login to comment on this ticket.

Metadata