TSL for all Hoa's domain

Good luck and thanks!

Certificate are active only on static for moment, i let you check, then we can switch others.

https://www.ssllabs.com/ssltest/analyze.html?d=static.hoa-project.net

I’ve also open PR #100 for replace static link to https.


A bit struggle after update, only IPV6 was listen from nginx. bad configuration on all website config files. the notation listen [::]80 is not correct and has been deprecated in new versions. ipv4/ipv6 notation must use with two lines. listen 80; listen [::]:80;

I’ve update all nginx config files. ~40

Your PR has been merged and deployed with success on hoa-project.net. Also, I did something very similar to blog.hoa-project.net, also merged and deployed (PR #6).

Now we can switch I guess :-).

Good catch for blog, I’ve forget this domain, i should include in let’s encrypt certs. I’ve setup HTTPS on preview website but it seems be not up to date with the git repository.

Ok i’ve rebuild certificates with lots of subdomains and setup auto renew.

The following domains has been setup in nginx but without forcing redirection for non breaking dependence or actual usage.

The website and blog must use https with search engine otherwise browser will intercept request. Also open two PR on preview for this.

We can have more details for administrator on server to /root/support-history.md

Is it over now? Do we have other domains to update or other manipulations?

Did you love SSL ? After fight with discourse header for make proxy work, I was wondering why any pages have no comments. It’s because the Jekxyl bot just created new thread. Like it’s based on full link, and https is another url…

Btw, this cannot work under preview.hoa due two domain validation.

But you can merge preview change into master.

1 Like

I am not sure it takes the protocol into account: Only the domain name and the pathname (probably the queries too), isn’t it?

@pierozi I have created https://github.com/hoaproject/Blog/pull/7 in order to be consistent with other services. The blog will use the proxy-discourse.hoa domain to get embed JavaScript files. While not necessary, it makes things consistent. Thoughts?

@Hywan You do well, it is necessary for have comments on blog.

@pierozi It seems https://central.hoa-project.net/ is not working well (for instance https://central.hoa-project.net/Resource/Library/Console). Can you take a look at it please?

Central is not configured, it should not be force to https. I will look at that, because that happen on all domains on this server without https configured

Why it should not be forced? I don’t see any reason.

I setup TLS on all the subdomains of hoa-project.net. this fix issues when the cycle redirection are stuck by browser.

1 Like

@pierozi Should I open a new topic about https://observatory.mozilla.org/analyze.html?host=hoa-project.net? I guess we should get a better score ;-).

For SSL test, You should look at https://www.ssllabs.com/ssltest/analyze.html?d=hoa-project.net

HSTS was disable issues due to our subdomains not all https and cycle redirection issues. Maybe we can setup CORS rules into website for fix security header

:smiley:

Can we set HSTS now? I guess nothing is blocking. Am I wrong?

@pierozi Do we have to worry about this https://tls.imirhil.fr/https/hoa-project.net?

actually, HSTS already implement, only option subdomains included has been removed. You can check with => curl -s -D - https://hoa-project.net/Fr/ -o /dev/null

The cipher rules already set as better we can. (as mozilla generator recommend) The imirhil cipher check are pretty rude! try google.com, paypal or amazon, their are pretty close to us.

That’s perfect then, thank you for the clarifications!