Opened 7 years ago
Closed 6 years ago
#2008 closed task (wontfix)
FOSS4G 2018 Registration Page SSL
| Reported by: | markiliffe | Owned by: | martin |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | SysAdmin | Keywords: | foss4g2018 ssl |
| Cc: |
Description
We need a secure, SSL certificated place to place our registration page. We propose to use registration.foss4g.org as the domain for this. Currently, we are using 2018.foss4g.or.tz as the page, but would prefer to host our payment clearing page on OGGeo's servers.
Change History (11)
follow-up: 3 comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Keywords: | ssl added |
|---|---|
| Summary: | FOSS4G 2018 Registration Page → FOSS4G 2018 Registration Page SSL |
comment:3 by , 7 years ago
Replying to robe:
What server is 2018.foss4g.org hosted on.
https://bgp.he.net/ip/52.28.51.102#_dns
--> 52.28.51.102 resolves to ec2-52-28-51-102.eu-central-1.compute.amazonaws.com
That at any rate should have an SSL cert too.
+1
comment:4 by , 7 years ago
updating this with IRC logs from http://irclogs.geoapt.com/osgeo-sac/%23osgeo-sac.2018-01-04.log
20:01:27 wildintellect: my suggestion is we get an OSUOSL VM provisioned 20:01:34 Mark____: Hello - Mark Iliffe, FOSS4G 2018 Chair here 20:01:46 robe2: Hi Mark___ 20:01:58 cvvergara: Hello Mark____ thanks for comming 20:02:02 wildintellect: the plan was to have 2 servers staging and production at all times 20:02:28 Mark____: No worries @cvvergara 20:02:42 ragnvald: Hello - Ragnvald Larsen hosting the 2018.foss4g.org website 20:03:02 robe2: Hi ragnvald 20:03:05 ragnvald: (also program committee chair for foss4g 2018) 20:03:07 jgarnett: Welcome :) 20:03:08 ragnvald: hi all! 20:03:32 robe2: Regina here 20:03:46 * strk here 20:03:54 MartinSpott: markusN: Tach 20:03:55 cvvergara: So, lets start with the Agenda ... 20:04:00 markusN: Hi, Markus here 20:04:04 strk: MartinSpott: great to see you ! 20:04:08 markusN: Tach 20:04:27 cvvergara: I will move the topic of FOSS4G 2018 to be the first topic taken care of 20:04:35 wildintellect: https://wiki.osgeo.org/wiki/SAC_Meeting_2018-01-04 20:04:36 sigabrt: Title: SAC Meeting 2018-01-04 - OSGeo (at wiki.osgeo.org) 20:04:48 strk: hi Ragnvald 20:05:11 strk: and Mark 20:05:35 strk: cvvergara: you chair ? 20:05:41 cvvergara: There are some issues for the FOSS4G that have being "neglected for 3 months) so it seems 20:05:57 cvvergara: So, first I would like to hear what are the current needs 20:06:23 * cvvergara I was last week, so lets keep this going 20:06:24 robe2: I think the SSL is a big one. 20:06:42 robe2: 2018.foss4g.org needs https 20:06:57 strk: is it on OSGeo infrastructure ? 20:07:02 wildintellect: no 20:07:04 robe2: and if it's an amazon server, should be easy to install letsencrypt on it 20:07:09 wildintellect: +1 20:07:10 ragnvald: It is run on an amazon EC2 website 20:07:17 strk: seems not: ec2-52-28-51-102.eu-central-1.compute.amazonaws.com 20:07:33 strk: ragnvald: who'se managing that server ? 20:08:42 robe2: ragnvald ? 20:08:49 ragnvald: yes on the ball 20:08:58 ragnvald: EC2 amazon website (52.28.51.102) 20:09:37 robe2: ragnvald so do you manage it or someone else? 20:09:40 Mark____: we'd be more than happy to host on OSGeo infrastructure, if we can gain full access to 20:09:45 Mark____: *to it 20:09:55 Mark____: Currently we, as in Ragnvald and Tim manage that website 20:10:28 robe2: Mark___ is it mostly static content at the moment or you have some dynamic stuff on it 20:10:40 ragnvald: My workplace is handling it. So we do it in kind. But I have no objections to move it to the osgeo infrastructure. 20:10:40 Mark____: Our payments through https://2018.foss4g.or.tz/ also need a certificate 20:10:41 sigabrt: Title: Foss4g2018 - Dar es salaam - Ticket Payment (at 2018.foss4g.or.tz) 20:11:20 robe2: Mark___ is there a reason why the payment site is separate from main site aside from the ssl one? 20:11:56 Mark____: Yes, there is I'm sure. 20:12:08 wildintellect: who runs the payment site? 20:12:19 Mark____: Our confernece organisers, we run the bank account 20:12:26 Mark____: *conference 20:12:47 ragnvald: The code for the main website is on github - Tim is handling that part. He is basically pushing a static website to the server with every update we have. Nothing fancy going on on the web server. 20:13:15 Mark____: The code for the payments is also very simple HTML - we'd be happy to host in a single point 20:14:04 wildintellect: is it using a 3rd party payment service? 20:14:19 Mark____: yes - Pesapal 20:14:46 Mark____: We have to use that one as it's one of the few services that will clear USD in Africa 20:14:49 * cvvergara can you give the link to github code of website? 20:15:24 wildintellect: I'm wondering the same question, why aren't the 2 sites on the same server? 20:17:23 robe2: Mark___ ragnvald so where is the github site? 20:17:24 Mark____: Because we wanted to get the service up and running 20:17:49 Mark____: Our website took time to get up and running and we wanted to launch tickets at FOSS4G in Boston 20:18:12 wildintellect: would it be possible to merge them? 20:18:29 robe2: Okay so we could merge them and have the payment site be something like https:/2018.foss4g.org/registration 20:18:35 wildintellect: +1 20:18:36 ragnvald: https://github.com/timlinux/foss4g2018 20:18:37 sigabrt: Title: GitHub - timlinux/foss4g2018: Static website for FOSS4G 2018 - this will be replaced later with a dynamic one (at github.com) 20:18:55 Mark____: That's fine - just wish to ensure we have continuity within our payment systems 20:19:05 wildintellect: in either case the answer for how to get SSL is LetEncrypt 20:19:26 robe2: yes letencrypt 20:19:29 strk: can you set that up on the existing server or do we need all website moved ? 20:19:40 wildintellect: and SAC involvement is not required to do that, unless you need our help - which requires giving us access to servers 20:19:44 Mark____: I'd like for us to move away from infrastructure maintained by the LOC 20:19:49 strk: need/want -- I'm not sure what's our policy reguarding website (do we have an ftp server anywhere?) 20:20:01 Mark____: This will help the website be ran post conference 20:20:07 robe2: strk but if you set up automatic push via git 20:20:18 strk: ok so you do want OSGeo hosting ? 20:20:19 robe2: like we do for postgis.net that would be sufficient no? 20:20:19 ragnvald: ... or is it this one: https://github.com/foss4g2018/foss4g2018 20:20:20 sigabrt: Title: GitHub - foss4g2018/foss4g2018: Website for FOSS4G 2018 (at github.com) 20:20:22 Mark____: following this, we'll stop paying for certain things, ie. amazon hosting and mailchimp etc 20:20:26 strk: wildintellect: would adhoc be the best place for it ? 20:20:32 robe2: and it wouldn't require manual uploading anywhere 20:20:33 wildintellect: no 20:20:37 wildintellect: webextra 20:20:42 strk: webextra 20:20:43 wildintellect: where all the foss4g sites live 20:20:58 strk: robe2: we could setup a cron job pulling from github 20:21:05 robe2: yes 20:21:06 strk: on webextra 20:21:13 robe2: or we could even move it to gitea :) 20:21:25 strk: sure 20:21:28 strk: even better 20:21:42 ragnvald: Will have to confirm with Tim on which of the code repos are the real source. 20:22:40 robe2: ragnvald is the payment html hosted on some godaddy server or is it under source control somewhere as well? 20:23:03 * strk cannot find DNS for "webextra"... .osuosl.osgeo.org did not work, nor .osgeo.org 20:23:16 robe2: strk speaking of foss4g did you ever here back from guido? 20:23:17 wildintellect: webextra.osgeo.osuosl.org 20:23:22 strk: robe2: nope 20:23:29 strk: oh, other way around 20:23:39 wildintellect: foss4g.org also works 20:23:51 robe2: I can bug him -- he's just down the block from me. I can threaten to come over though I'm too lazy to walk a block in all honesty 20:24:59 wildintellect: ok so we have a conclusion - 2018.fossg has requested to move to OSGeo hosting, and we'll put SSL in front of it 20:25:01 strk: the apache config there is weird 20:25:28 wildintellect: we'll work it out post meeting 20:25:37 ragnvald: robe2: I am ignorant to the contents of the code. 20:25:38 Mark____: Awesome. The LOC of 2018 endorses this decision
We should be moving on this.
comment:5 by , 7 years ago
| Owner: | changed from to |
|---|
Martin,
Reassigning to you to do under your current contract. I think you'll first want to contact Tim Sutton (who is PSC Chair of QGIS) since I think the main site he is currently hosting as a favor.
comment:7 by , 7 years ago
It appears that the actual payment processing page is loaded within an iframe on the foss4g site, which could allow an attacker to expose credit card information using javascript. Please audit this and preferably redirect to the external payment processor directly.
comment:8 by , 7 years ago
http://2018.foss4g.org has an outbound link to https://2018.foss4g.or.tz for the registration page.
Just in order to get the right point of contact, let me clarify the current hosting contacts:
- Tim Sutton (tim@…) - managing the main event web site which is hosted under GitHub pages. We have no direct control over the server on which the site runs.
- Brian Paul (brian@…) - managing the registration and ecommerce site via Studio 19 - our logistics partner in Dar Es Salaam. The registration site is deployed on their own server.
Hope that clarifies things a bit.
Regards
Tim
comment:10 by , 7 years ago
Thank you for clarifying that Tim, I had gotten the impression that the actual registration site itself was being proposed to be moved onto OSGeo's infrastructure, which clearly would not be appropriate.
Note:
See TracTickets
for help on using tickets.
What server is 2018.foss4g.org hosted on. That at any rate should have an SSL cert too.
Then it could in theory be https://2018.foss4g.org/registration