Thanks for bringing this up! I can definitely help get SSL set up for
calagator.org. For the iCal + Google calendar feeds, it seems like we should do some testing to see if these clients handle redirects correctly. If they do, we can redirect all traffic to SSL. If not, we may want to keep those particular routes HTTP-accessible?
It seems like there are three main options:
1) Buy a cert for
calagator.org and install it — most paperwork; end-to-end encryption + provides verification that this is really the Calagator server; probably not necessary due to the open-access and non-sensitive nature of Calagator's content
2) Set up Let's Encrypt and use that — needs server configuration updates via
https://github.com/stumpsyn/servers to set up the letsencrypt daemon (which could be reused on other Snydicate-hosted domains); end-to-end encryption; seems fairly reasonable
3) Proxy through CloudFlare and use their SNI-based SSL feature (we recently set this up for
pdxruby.org) — easiest; no server config changes; traffic encrypted from CloudFlare to client, but not from Calagator server to CloudFlare without additional config; also provides asset CDN features.