Xapian?s websites (xapian.org, trac.xapian.org and lists.xapian.org) are now available via https: https://xapian.org, https://trac.xapian.org and https://lists.xapian.org/mailman/listinfo. (Currently https://lists.xapian.org/ redirects to non-https, because of limitations in mailman.) It?d be helpful if people could check if they have any problem accessing the sites over https. Note that interlinks between the three sites may not all yet preserve https (feel free to file bugs for anything you spot). If there are no problems, in a week I?ll make http versions redirect to https for trac and lists, and if we have no problems there I?ll add HSTS headers. I?d prefer to move xapian.org to https by default as well, but that?s less pressing. If anyone has any opinions either way, please let me know. J -- James Aylett, occasional trouble-maker xapian.org
James writes:> It?d be helpful if people could check if they have any problem > accessing the sites over https.Works for me (Iceweasel 43.0.4, browsing from Denmark) - cool!> Note that interlinks between the three sites may not all yet preserve > https (feel free to file bugs for anything you spot).I spotted these when clicking around a little: ? The link "Highly portable" on https://xapian.org/features points to http://trac... ? The links ?"mailing lists" and "Mailing lists" on https://trac.xapian.org/ points to http://xapian... ? The link "Documentation" on https://trac.xapian.org/ points to http://xapian... ? The link "Xapian-devel Archives" on https://lists.xapian.org/mailman/listinfo/xapian-devel points to http://lists... ? The link "More info on this list..." on https://lists.xapian.org/pipermail/xapian-devel/2015-December/thread.html points to http://lists... Best regards, Adam -- "Jeg kan godt lide den hvor Cobber starter!" Adam Sj?gren asjo at koldfront.dk
On Sun, Jan 24, 2016 at 03:05:31PM +0100, Adam Sj?gren wrote:> James writes: > > It?d be helpful if people could check if they have any problem > > accessing the sites over https. > > Works for me (Iceweasel 43.0.4, browsing from Denmark) - cool!Yes, many thanks to James for working on this.> I spotted these when clicking around a little: > > ? The link "Highly portable" on https://xapian.org/features points to > http://trac... > > ? The links ?"mailing lists" and "Mailing lists" on > https://trac.xapian.org/ points to http://xapian...Fixed. Being a wiki, anyone can fix such links - please feel free to. One warning - trac doesn't seem to understand links without a scheme, so a link to //xapian.org/ doesn't work - explicitly specifying https: seems to be needed.> ? The link "Documentation" on https://trac.xapian.org/ points to > http://xapian...I've fixed these and all the others I found with grep. Also fixed up a couple of lingering references to wiki.xapian.org (which redirects to trac.xapian.org/wiki).> ? The link "Xapian-devel Archives" on > https://lists.xapian.org/mailman/listinfo/xapian-devel points to > http://lists... > > ? The link "More info on this list..." on > https://lists.xapian.org/pipermail/xapian-devel/2015-December/thread.html > points to http://lists...These are presumably in the mailman config, which I think only James can update. Cheers, Olly
On 24 Jan 2016, at 13:48, James Aylett <james-xapian at tartarus.org> wrote:> Xapian?s websites (xapian.org, trac.xapian.org and lists.xapian.org) are now available via https: https://xapian.org, https://trac.xapian.org and https://lists.xapian.org/mailman/listinfo. (Currently https://lists.xapian.org/ redirects to non-https, because of limitations in mailman.)Update: lists.xapian.org and trac.xapian.org will now *default* to https. If you access them via http, they?ll issue a redirect to the https version. If anyone has any issues at all with logging in or working with these sites, please let me know as soon as possible! I?ll leave this for a month or so and then add HSTS headers and turn them into permanent redirects, so that browsers know not to bother trying the http version at all. Some links within Mailman (particularly archives) will still go to http, because it doesn?t seem to have any configuration options for getting this right. As far as I can tell, neither Mailman nor Trac supports issuing secure-only cookies (which is why moving to HSTS is important). I won?t be doing this (at least for the time being) for other Xapian sites. J -- James Aylett, occasional trouble-maker xapian.org
On Sun, Jan 31, 2016 at 01:51:21PM +0000, James Aylett wrote:> Some links within Mailman (particularly archives) will still go to > http, because it doesn?t seem to have any configuration options for > getting this right. As far as I can tell, neither Mailman nor Trac > supports issuing secure-only cookies (which is why moving to HSTS is > important).I found the option for trac - it's "secure_cookies = true" in the "[trac]" section of trac.ini, and is now enabled. This only seems to affect new cookies (i.e. trac doesn't resend existing cookies such that the browser upgrades them to being flagged as "secure"), but the cookies are session cookies, so will expire when the browser gets restarted. You can go and delete the existing cookies by hand if you want to refresh them sooner. It looks like mailman >= 2.1.15 should automatically send "secure" cookies if web_page_url has an "https" scheme, but this doesn't seem to happen for some reason, at least on lists.xapian.org. Cheers, Olly