Opened 17 months ago

Last modified 12 months ago

#2008 new task

FOSS4G 2018 Registration Page SSL

Reported by: markiliffe Owned by: martin
Priority: major Milestone:
Component: Systems Admin Keywords: foss4g2018 ssl
Cc:

Description

We need a secure, SSL certificated place to place our registration page. We propose to use registration.foss4g.org as the domain for this. Currently, we are using 2018.foss4g.or.tz as the page, but would prefer to host our payment clearing page on OGGeo's servers.

Change History (10)

comment:1 Changed 15 months ago by robe

What server is 2018.foss4g.org hosted on. That at any rate should have an SSL cert too.

Then it could in theory be https://2018.foss4g.org/registration

comment:2 Changed 15 months ago by robe

Keywords: ssl added
Summary: FOSS4G 2018 Registration PageFOSS4G 2018 Registration Page SSL

comment:3 in reply to:  1 Changed 14 months ago by neteler

Replying to robe:

What server is 2018.foss4g.org hosted on.

https://bgp.he.net/ip/52.28.51.102#_dns

--> 52.28.51.102 resolves to ec2-52-28-51-102.eu-central-1.compute.amazonaws.com

That at any rate should have an SSL cert too.

+1

comment:4 Changed 12 months ago by robe

updating this with IRC logs from http://irclogs.geoapt.com/osgeo-sac/%23osgeo-sac.2018-01-04.log

20:01:27	wildintellect:	my suggestion is we get an OSUOSL VM provisioned
20:01:34	Mark____:	Hello - Mark Iliffe, FOSS4G 2018 Chair here
20:01:46	robe2:	Hi Mark___
20:01:58	cvvergara:	Hello Mark____ thanks for comming
20:02:02	wildintellect:	the plan was to have 2 servers staging and production at all times
20:02:28	Mark____:	No worries @cvvergara
20:02:42	ragnvald:	Hello - Ragnvald Larsen hosting the 2018.foss4g.org website
20:03:02	robe2:	Hi ragnvald
20:03:05	ragnvald:	(also program committee chair for foss4g 2018)
20:03:07	jgarnett:	Welcome :)
20:03:08	ragnvald:	hi all!
20:03:32	robe2:	Regina here
20:03:46		* strk here
20:03:54	MartinSpott:	markusN: Tach
20:03:55	cvvergara:	So, lets start with the Agenda ...
20:04:00	markusN:	Hi, Markus here
20:04:04	strk:	MartinSpott: great to see you !
20:04:08	markusN:	Tach
20:04:27	cvvergara:	I will move the topic of FOSS4G 2018 to be the first topic taken care of
20:04:35	wildintellect:	https://wiki.osgeo.org/wiki/SAC_Meeting_2018-01-04
20:04:36	sigabrt:	Title: SAC Meeting 2018-01-04 - OSGeo (at wiki.osgeo.org)
20:04:48	strk:	hi Ragnvald
20:05:11	strk:	and Mark
20:05:35	strk:	cvvergara: you chair ?
20:05:41	cvvergara:	There are some issues for the FOSS4G that have being "neglected for 3 months) so it seems
20:05:57	cvvergara:	So, first I would like to hear what are the current needs
20:06:23		* cvvergara I was last week, so lets keep this going
20:06:24	robe2:	I think the SSL is a big one.
20:06:42	robe2:	2018.foss4g.org needs https
20:06:57	strk:	is it on OSGeo infrastructure ?
20:07:02	wildintellect:	no
20:07:04	robe2:	and if it's an amazon server, should be easy to install letsencrypt on it
20:07:09	wildintellect:	+1
20:07:10	ragnvald:	It is run on an amazon EC2 website
20:07:17	strk:	seems not: ec2-52-28-51-102.eu-central-1.compute.amazonaws.com
20:07:33	strk:	ragnvald: who'se managing that server ?
20:08:42	robe2:	ragnvald ?
20:08:49	ragnvald:	yes on the ball
20:08:58	ragnvald:	EC2 amazon website (52.28.51.102)
20:09:37	robe2:	ragnvald so do you manage it or someone else?
20:09:40	Mark____:	we'd be more than happy to host on OSGeo infrastructure, if we can gain full access to
20:09:45	Mark____:	*to it
20:09:55	Mark____:	Currently we, as in Ragnvald and Tim manage that website
20:10:28	robe2:	Mark___ is it mostly static content at the moment or you have some dynamic stuff on it
20:10:40	ragnvald:	My workplace is handling it. So we do it in kind. But I have no objections to move it to the osgeo infrastructure.
20:10:40	Mark____:	Our payments through https://2018.foss4g.or.tz/ also need a certificate
20:10:41	sigabrt:	Title: Foss4g2018 - Dar es salaam - Ticket Payment (at 2018.foss4g.or.tz)
20:11:20	robe2:	Mark___ is there a reason why the payment site is separate from main site aside from the ssl one?
20:11:56	Mark____:	Yes, there is I'm sure.
20:12:08	wildintellect:	who runs the payment site?
20:12:19	Mark____:	Our confernece organisers, we run the bank account
20:12:26	Mark____:	*conference
20:12:47	ragnvald:	The code for the main website is on github - Tim is handling that part. He is basically pushing a static website to the server with every update we have. Nothing fancy going on on the web server.
20:13:15	Mark____:	The code for the payments is also very simple HTML - we'd be happy to host in a single point
20:14:04	wildintellect:	is it using a 3rd party payment service?
20:14:19	Mark____:	yes - Pesapal
20:14:46	Mark____:	We have to use that one as it's one of the few services that will clear USD in Africa
20:14:49		* cvvergara can you give the link to github code of website?
20:15:24	wildintellect:	I'm wondering the same question, why aren't the 2 sites on the same server?
20:17:23	robe2:	Mark___ ragnvald so where is the github site?
20:17:24	Mark____:	Because we wanted to get the service up and running
20:17:49	Mark____:	Our website took time to get up and running and we wanted to launch tickets at FOSS4G in Boston
20:18:12	wildintellect:	would it be possible to merge them?
20:18:29	robe2:	Okay so we could merge them and have the payment site be something like https:/2018.foss4g.org/registration
20:18:35	wildintellect:	+1
20:18:36	ragnvald:	https://github.com/timlinux/foss4g2018
20:18:37	sigabrt:	Title: GitHub - timlinux/foss4g2018: Static website for FOSS4G 2018 - this will be replaced later with a dynamic one (at github.com)
20:18:55	Mark____:	That's fine - just wish to ensure we have continuity within our payment systems
20:19:05	wildintellect:	in either case the answer for how to get SSL is LetEncrypt
20:19:26	robe2:	yes letencrypt
20:19:29	strk:	can you set that up on the existing server or do we need all website moved ?
20:19:40	wildintellect:	and SAC involvement is not required to do that, unless you need our help - which requires giving us access to servers
20:19:44	Mark____:	I'd like for us to move away from infrastructure maintained by the LOC
20:19:49	strk:	need/want -- I'm not sure what's our policy reguarding website (do we have an ftp server anywhere?)
20:20:01	Mark____:	This will help the website be ran post conference
20:20:07	robe2:	strk but if you set up automatic push via git
20:20:18	strk:	ok so you do want OSGeo hosting ?
20:20:19	robe2:	like we do for postgis.net that would be sufficient no?
20:20:19	ragnvald:	... or is it this one: https://github.com/foss4g2018/foss4g2018
20:20:20	sigabrt:	Title: GitHub - foss4g2018/foss4g2018: Website for FOSS4G 2018 (at github.com)
20:20:22	Mark____:	following this, we'll stop paying for certain things, ie. amazon hosting and mailchimp etc
20:20:26	strk:	wildintellect: would adhoc be the best place for it ?
20:20:32	robe2:	and it wouldn't require manual uploading anywhere
20:20:33	wildintellect:	no
20:20:37	wildintellect:	webextra
20:20:42	strk:	webextra
20:20:43	wildintellect:	where all the foss4g sites live
20:20:58	strk:	robe2: we could setup a cron job pulling from github
20:21:05	robe2:	yes
20:21:06	strk:	on webextra
20:21:13	robe2:	or we could even move it to gitea :)
20:21:25	strk:	sure
20:21:28	strk:	even better
20:21:42	ragnvald:	Will have to confirm with Tim on which of the code repos are the real source.
20:22:40	robe2:	ragnvald is the payment html hosted on some godaddy server or is it under source control somewhere as well?
20:23:03		* strk cannot find DNS for "webextra"... .osuosl.osgeo.org did not work, nor .osgeo.org
20:23:16	robe2:	strk speaking of foss4g did you ever here back from guido?
20:23:17	wildintellect:	webextra.osgeo.osuosl.org
20:23:22	strk:	robe2: nope
20:23:29	strk:	oh, other way around
20:23:39	wildintellect:	foss4g.org also works
20:23:51	robe2:	I can bug him -- he's just down the block from me. I can threaten to come over though I'm too lazy to walk a block in all honesty
20:24:59	wildintellect:	ok so we have a conclusion - 2018.fossg has requested to move to OSGeo hosting, and we'll put SSL in front of it
20:25:01	strk:	the apache config there is weird
20:25:28	wildintellect:	we'll work it out post meeting
20:25:37	ragnvald:	robe2: I am ignorant to the contents of the code.
20:25:38	Mark____:	Awesome. The LOC of 2018 endorses this decision

We should be moving on this.

comment:5 Changed 12 months ago by robe

Owner: changed from sac@… to martin

Martin,

Reassigning to you to do under your current contract. I think you'll first want to contact Tim Sutton (who is PSC Chair of QGIS) since I think the main site he is currently hosting as a favor.

comment:6 Changed 12 months ago by Jeff McKenna

Tim's email is: tim at kartoza dot com

comment:7 Changed 12 months ago by TemptorSent

It appears that the actual payment processing page is loaded within an iframe on the foss4g site, which could allow an attacker to expose credit card information using javascript. Please audit this and preferably redirect to the external payment processor directly.

comment:8 Changed 12 months ago by timlinux

@TemptorSent?

http://2018.foss4g.org has an outbound link to https://2018.foss4g.or.tz for the registration page.

Just in order to get the right point of contact, let me clarify the current hosting contacts:

  • Tim Sutton (tim@…) - managing the main event web site which is hosted under GitHub? pages. We have no direct control over the server on which the site runs.
  • Brian Paul (brian@…) - managing the registration and ecommerce site via Studio 19 - our logistics partner in Dar Es Salaam. The registration site is deployed on their own server.

Hope that clarifies things a bit.

Regards

Tim

comment:9 Changed 12 months ago by timlinux

brian [at] studio19.co.tz

comment:10 Changed 12 months ago by TemptorSent

Thank you for clarifying that Tim, I had gotten the impression that the actual registration site itself was being proposed to be moved onto OSGeo's infrastructure, which clearly would not be appropriate.

Note: See TracTickets for help on using tickets.