#2775 closed enhancement (fixed)
OSGeo Download Server does not redirect to secure HTTPS
| Reported by: | Mike Taves | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Unplanned |
| Component: | WebSite | Keywords: | |
| Cc: |
Description
Firstly, it should be noted that https://download.osgeo.org/ uses a secure connection with a valid certificate. However, there are two issues:
- Navigating to http://download.osgeo.org/ does not redirect to https://download.osgeo.org/ as most modern websites do
- From the HTTPS version, clicking (e.g.) "GEOS" goes to non-secure http://download.osgeo.org/geos/ even though editing the address to https://download.osgeo.org/geos/ seems to work, where the files can also be clicked and downloaded using HTTPS using (e.g.) curl or wget
The purpose of this ticket is to get the website to redirect HTTP to HTTPS secure content for web browsing and downloading. I'm not a "web person" so I'm unable to help resolve this issue any further.
Change History (11)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
Sure, I suppose someone that enters with HTTP can stay non-secure. But I would expect someone entering with HTTPS would keep navigating with HTTPS for subpages.
follow-up: 7 comment:3 by , 2 years ago
Most browsers are going to start redirecting to https by default soon, so for ordinary users this will solve itself. https://www.makeuseof.com/chrome-defaults-to-https/
The argument is to prevent malicious manipulation of the bytes (man in the middle) on software downloads (because few people check hashes). This is a valid concern (CRAN for R made this switch a few years back). However Robe is right that many services, aka build tools may be relying on http, and some system block https access. So while we should encourage https I agree we don't need to force it but encourage it's usage.
As long as anything requiring login goes to https that should be fine.
Ah it is a little odd to go from https to http. I am unable to replicate that issue, can you provide more details on exact steps?
comment:4 by , 2 years ago
Ah spoke too soon, I am able to replicate the GEOS page issue (had to turn off auto https redirect). The link is https but somehow directs to http. That seems like a bad rewrite rule somewhere in nginx. We should fix that.
comment:5 by , 2 years ago
Thanks! That fix alone would be perfect. I didn't check all other subpages to see of that was the issue, or if it is more general.
comment:6 by , 2 years ago
Ah that is odd. Okay I'll take a look at nginx to see why it's doing that.
comment:7 by , 2 years ago
Replying to wildintellect:
Most browsers are going to start redirecting to https by default soon, so for ordinary users this will solve itself. https://www.makeuseof.com/chrome-defaults-to-https/
This also does not seem to work. I've tested both Chrome 102.0.5005.115 and Firefox 101.0.1, and typing only "download.osgeo.org" will direct the web browser to the HTTP version.
comment:8 by , 2 years ago
I'm still stumped by this. I think the issue is with one of the nginx configs in the download container cause just doing the test within the container I see the same behavior.
It has to do with lack of a trailing /
so https://download.osgeo.org/geos -> http://download.osgeo.org/geos/
with a 301 permanently moved.
with a trailing / things work as expected - https://download.osgeo.org/geos/.
comment:9 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Give it a try now.
Per this article - https://www.netexpertise.eu/en/misc/nginx/nginx-behind-reverse-proxy-301-https-to-http-redirect-when-url-has-no-trailing-slash.html
In the download container, I added a link to /etc/nginx/sites-enabled/1download.local
absolute_redirect off;
It still ends up doing a redirect, but does a relative now instead of an absolute, so it maintains the browsers choice of http vs. https.
comment:10 by , 2 years ago
Thanks, I can confirm that the browser choice of HTTP or HTTPS is now maintained while navigating between subpages.
However, I still see bare "download.osgeo.org" to prefer HTTP. From what wildintellect linked above, I would expected the browser to automatically choose HTTPS as the default protocol.
comment:11 by , 2 years ago
in firefox for me typing download.osgeo.org redirects me to https when I am in incognito mode, but stays as http when I'm in regular mode.
On chrome it always redirects me to https if I type download.osgeo.org. I'm running Chrome Version 103.0.5060.53 (Official Build) (64-bit)
Edge does not redirect me to https (even in incognito mode). Stays as http unless I explicitly type in https.
I don't think this is a good idea. It's bound to break a lot of reliance on http. I also don't see the point of a public download site requiring https. Please give me a security reason why this should be done. If people want a secure connection, they can use https