openbsd.org - certain https URLs downgraded to http in redirection

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

openbsd.org - certain https URLs downgraded to http in redirection

Aham Brahmasmi
Namaste misc,

Overview:
Certain https URLs on openbsd.org get downgraded to http in redirection.

Steps:
When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.

Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
http://cvsweb.openbsd.org/cgi-bin/cvsweb/.

Probable Solution:
Would we benefit from changing our httpd.conf to
...
        listen on * port https
...
        location "/cgi-bin/man.cgi*" {
                block return 301 "https://man...
...
<similarly for cvsweb et al>
...

This is similar to the recommended httpd.conf for OpenBSD mirrors [2].

Dhanyavaad,
ab
[1] - These URLs are among the top search results for the search terms
"openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
non-evil web search engine.
[2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5&content-type=text/x-cvsweb-markup
---------|---------|---------|---------|---------|---------|---------|--

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

Sebastian Benoit
Aham Brahmasmi([hidden email]) on 2020.02.12 10:34:55 +0100:

> Namaste misc,
>
> Overview:
> Certain https URLs on openbsd.org get downgraded to http in redirection.
>
> Steps:
> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>
> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
>
> Probable Solution:
> Would we benefit from changing our httpd.conf to
> ...
>         listen on * port https
> ...
>         location "/cgi-bin/man.cgi*" {
>                 block return 301 "https://man...
> ...
> <similarly for cvsweb et al>
> ...
>
> This is similar to the recommended httpd.conf for OpenBSD mirrors [2].
>
> Dhanyavaad,
> ab
> [1] - These URLs are among the top search results for the search terms
> "openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
> non-evil web search engine.
> [2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5&content-type=text/x-cvsweb-markup

Thanks for noticing this.

These two services are run by volunteers, and it's up to them how to provide
the service.

If you want to keep it secret what manpage you are looking at or what src
file you are reading, OpenBSD comes with fine command line tools that dont
need network access after initial installation.

Best regards,
B.