https and SSL

[Lauren Voswinkel]

Hey all,

In an effort to be more up-to-speed with current web standards, I'd love to see us get http://calagator.org serving via https. It looks like it should be a pretty straightforward thing to do, however, the changes have to do, almost exclusively, with settings on the server it's deployed to. Primarily this involves generating an SSL cert and then opening up port 443 for access... I'm unsure of who I would have to talk to to get this work done or do this work, but I'm willing to do so or pester the right people to get this done. :)

If you just randomly stumble across this and want to poke around at the wonderful world of SSL certs... https://letsencrypt.org/ is a lovely resource.

[Audrey Eschright]

Hi Lauren,

The Calagator site is hosted by Stumptown Syndicate through their Rackspace account, and Reid has been the primary person working on that. I think adding https by default would be great. Do you know whether that would have an impact on things like our .ical feed and Google calendar features?

Audrey

--
You received this message because you are subscribed to the Google Groups "PDX Tech Calendar" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pdx-tech-calen...@googlegroups.com.
To post to this group, send email to pdx-tech...@googlegroups.com.
Visit this group at https://groups.google.com/group/pdx-tech-calendar.
For more options, visit https://groups.google.com/d/optout.

[Reid Beels]

Hi Lauren and Audrey,

Thanks for bringing this up! I can definitely help get SSL set up for calagator.org. For the iCal + Google calendar feeds, it seems like we should do some testing to see if these clients handle redirects correctly. If they do, we can redirect all traffic to SSL. If not, we may want to keep those particular routes HTTP-accessible?

It seems like there are three main options:

1) Buy a cert for calagator.org and install it — most paperwork; end-to-end encryption + provides verification that this is really the Calagator server; probably not necessary due to the open-access and non-sensitive nature of Calagator's content

2) Set up Let's Encrypt and use that — needs server configuration updates via https://github.com/stumpsyn/servers to set up the letsencrypt daemon (which could be reused on other Snydicate-hosted domains); end-to-end encryption; seems fairly reasonable

3) Proxy through CloudFlare and use their SNI-based SSL feature (we recently set this up for pdxruby.org) — easiest; no server config changes; traffic encrypted from CloudFlare to client, but not from Calagator server to CloudFlare without additional config; also provides asset CDN features.

What do you think is the best route?

~Reid

[Perry Wagle]

https://letsencrypt.org/ has free certs, by the way, and is moderately easy to use.  All the cool kidz on freenode/#pdxtech use it

— Perry

[Perry Wagle]

Oops, didn’t read far enough, sorry for being redundant.

— Perry

[Asheesh Laroia]

I personally think proxying through CloudFlare is the best option for a group like Stumptown Syndicate, specifically with regard to having zero ongoing operational overhead and, therefore, zero risk of something breaking due to volunteers having other priorities.

Let's Encrypt's max cert duration is about 90 days as I recall, so someone needs to put automation in place for renewing it, or else you'll be sad 90 days from now.

[Reid Beels]

🔒🎉

I went ahead and set up CloudFlare on calagator.org, so https://calagator.org is now accessible. I haven't set up any HTTP->HTTPS redirects yet, pending investigation of feed clients.

[Lauren Voswinkel]

Thanks so much for doing this! Now my master plan to update the PDXRuby preshow slides without having to allow unsafe scripts has come to fruition. 

*evil laugh*

...

*ahem*

Thanks again~!