#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+-----------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Keywords:
-------------------------+-----------------------
Firstly, it should be noted that https://download.osgeo.org/ uses a secure
connection with a valid certificate. However, there are two issues:
- Navigating to http://download.osgeo.org/ does not redirect to
https://download.osgeo.org/ as most modern websites do
- From the HTTPS version, clicking (e.g.) "GEOS" goes to non-secure
http://download.osgeo.org/geos/ even though editing the address to
https://download.osgeo.org/geos/ seems to work, where the files can also
be clicked and downloaded using HTTPS using (e.g.) curl or wget
The purpose of this ticket is to get the website to redirect HTTP to HTTPS
secure content for web browsing and downloading. I'm not a "web person" so
I'm unable to help resolve this issue any further.
See related #1798 and #2005
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by robe):
I don't think this is a good idea. It's bound to break a lot of reliance
on http.
I also don't see the point of a public download site requiring https.
Please give me a security reason why this should be done. If people want
a secure connection, they can use https
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by Mike Toews):
Sure, I suppose someone that enters with HTTP can stay non-secure. But I
would expect someone entering with HTTPS would keep navigating with HTTPS
for subpages.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by wildintellect):
Most browsers are going to start redirecting to https by default soon, so
for ordinary users this will solve itself.
https://www.makeuseof.com/chrome-defaults-to-https/
The argument is to prevent malicious manipulation of the bytes (man in the
middle) on software downloads (because few people check hashes). This is a
valid concern (CRAN for R made this switch a few years back). However Robe
is right that many services, aka build tools may be relying on http, and
some system block https access. So while we should encourage https I agree
we don't need to force it but encourage it's usage.
As long as anything requiring login goes to https that should be fine.
Ah it is a little odd to go from https to http. I am unable to replicate
that issue, can you provide more details on exact steps?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by wildintellect):
Ah spoke too soon, I am able to replicate the GEOS page issue (had to turn
off auto https redirect). The link is https but somehow directs to http.
That seems like a bad rewrite rule somewhere in nginx. We should fix that.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by Mike Toews):
Thanks! That fix alone would be perfect. I didn't check all other subpages
to see of that was the issue, or if it is more general.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Toews | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by robe):
Ah that is odd. Okay I'll take a look at nginx to see why it's doing
that.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Taves | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by Mike Taves):
Replying to [comment:3 wildintellect]:
> Most browsers are going to start redirecting to https by default soon,
so for ordinary users this will solve itself.
> https://www.makeuseof.com/chrome-defaults-to-https/
This also does not seem to work. I've tested both Chrome 102.0.5005.115
and Firefox 101.0.1, and typing only "download.osgeo.org" will direct the
web browser to the HTTP version.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Taves | Owner: vicky@…
Type: enhancement | Status: new
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by robe):
I'm still stumped by this. I think the issue is with one of the nginx
configs in the download container cause just doing the test within the
container I see the same behavior.
It has to do with lack of a trailing /
so https://download.osgeo.org/geos -> http://download.osgeo.org/geos/
with a 301 permanently moved.
with a trailing / things work as expected -
https://download.osgeo.org/geos/.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Taves | Owner: vicky@…
Type: enhancement | Status: closed
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution: fixed
Keywords: |
-------------------------+------------------------
Changes (by robe):
* status: new => closed
* resolution: => fixed
Comment:
Give it a try now.
Per this article - https://www.netexpertise.eu/en/misc/nginx/nginx-behind-
reverse-proxy-301-https-to-http-redirect-when-url-has-no-trailing-
slash.html
In the download container, I added a link to /etc/nginx/sites-
enabled/1download.local
{{{
absolute_redirect off;
}}}
It still ends up doing a redirect, but does a relative now instead of an
absolute, so it maintains the browsers choice of http vs. https.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Taves | Owner: vicky@…
Type: enhancement | Status: closed
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution: fixed
Keywords: |
-------------------------+------------------------
Comment (by Mike Taves):
Thanks, I can confirm that the browser choice of HTTP or HTTPS is now
maintained while navigating between subpages.
However, I still see bare "download.osgeo.org" to prefer HTTP. From what
wildintellect linked above, I would expected the browser to automatically
choose HTTPS as the default protocol.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2775: OSGeo Download Server does not redirect to secure HTTPS
-------------------------+------------------------
Reporter: Mike Taves | Owner: vicky@…
Type: enhancement | Status: closed
Priority: normal | Milestone: Unplanned
Component: WebSite | Resolution: fixed
Keywords: |
-------------------------+------------------------
Comment (by robe):
in firefox for me typing download.osgeo.org redirects me to https when I
am in incognito mode, but stays as http when I'm in regular mode.
On chrome it always redirects me to https if I type download.osgeo.org.
I'm running Chrome Version 103.0.5060.53 (Official Build) (64-bit)
Edge does not redirect me to https (even in incognito mode). Stays as
http unless I explicitly type in https.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2775#comment:11>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.