forcing HTTPS-only on LR services

[joe hobson]

In the week we are going to start enforcing HTTPS-only access on all LR services, as directed by the US Department of Education. Although HTTPS connections have been available on the LR servers all along, access over port 80 was still the norm in use by most consumers.

As a move in this direction, the sandbox and goOpen.sandbox servers have both been updated to force HTTPS. Please take a few moments to test any applications you have that publish to or consume from LR services to verify that everything is still working for you. Most applications should continue to function, simply redirecting to the new end points, though we suggest updating to use HTTPS protocol for all access.

Keep in mind that HTTPS is already enabled and functioning on all LR servers, sandbox and production (node01, node02, goOpen), so you can update your service endpoints to use HTTPS immediately. We will be updating the LR production servers to force HTTPS on or after Sunday, January 28th.

Please let me know if you run into any issues, or if you need additional time to test your application before the change over. All feedback is appreciated. ... .joe

-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:

joe hobson

   president / director of technology

   Navigation North

[Steve Midgley]

If it's not too hard, you might consider returning an error or a redirect http code on port 80. Would help avoid people thinking that the service is just down..

--
--
---
This message is posted from the Google Groups "LearningRegistry" group. More information about the Learning Registry project can be found at http://learningregistry.org/
 
To post: learningregistry@googlegroups.com
To unsubscribe: learningregistry+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/learningregistry?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Learning Registry" group.
To unsubscribe from this group and stop receiving emails from it, send an email to learningregistry+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[joe hobson]

It should be sending back a 301 code for the redirect. Unfortunately there was a typo in the server config (fixed now) for sandbox, so that may have been the issue.

But in my testing with curl and the LRSignature python library I'm finding mixed results with redirects, so it may be your publishing setup. For simple curl publishing, if you don't pass the "-L" flag then you'll just get the 301 code output - you have to pass the flag if you're using non-HTTP.

For python, at least when using the urllib2 library, if you're using non-HTTP then you'll run into a 404 error because the redirect will convert the POST into a GET. It doesn't look like there's an easy way around this -- so change your publishing URL to use HTTPS

at least that's my finding.

On Tuesday, January 23, 2018 at 1:01:35 PM UTC-6, Steve Midgley wrote:

If it's not too hard, you might consider returning an error or a redirect http code on port 80. Would help avoid people thinking that the service is just down..

On Tue, Jan 23, 2018 at 12:14 AM, joe hobson <joeh...@gmail.com> wrote:

In the week we are going to start enforcing HTTPS-only access on all LR services, as directed by the US Department of Education. Although HTTPS connections have been available on the LR servers all along, access over port 80 was still the norm in use by most consumers.

As a move in this direction, the sandbox and goOpen.sandbox servers have both been updated to force HTTPS. Please take a few moments to test any applications you have that publish to or consume from LR services to verify that everything is still working for you. Most applications should continue to function, simply redirecting to the new end points, though we suggest updating to use HTTPS protocol for all access.

Keep in mind that HTTPS is already enabled and functioning on all LR servers, sandbox and production (node01, node02, goOpen), so you can update your service endpoints to use HTTPS immediately. We will be updating the LR production servers to force HTTPS on or after Sunday, January 28th.

Please let me know if you run into any issues, or if you need additional time to test your application before the change over. All feedback is appreciated. ... .joe

-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:

joe hobson

   president / director of technology

   Navigation North

--
--
---
This message is posted from the Google Groups "LearningRegistry" group. More information about the Learning Registry project can be found at http://learningregistry.org/
 

To post: learning...@googlegroups.com
To unsubscribe: learningregist...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/learningregistry?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Learning Registry" group.

To unsubscribe from this group and stop receiving emails from it, send an email to learningregist...@googlegroups.com.