[
https://issues.apache.org/jira/browse/LUCENE-9227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043794#comment-17043794
]
Uwe Schindler edited comment on LUCENE-9227 at 2/24/20 7:56 PM:
----------------------------------------------------------------
I committed the following to htaccess.template:
{noformat}
<If "%{HTTPS} == 'on'">
Header always set Strict-Transport-Security "max-age=300"
</If>
<Else>
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</Else>
{noformat}
This is IMHO the most consistent way to express this. There are shorter ways,
but the if/else statements are easier to read:
- If user is on HTTPS, he/she gets STS header (for testing purposes limited to
300s)
- If user is on HTTP, he/she gets redirect to HTTPS (permanent)
{noformat}
Uwe Schindler@VEGA:~ > curl -I https://lucene.staged.apache.org/
HTTP/1.1 200 OK
Date: Mon, 24 Feb 2020 19:40:37 GMT
Server: Apache
Strict-Transport-Security: max-age=300
Last-Modified: Fri, 21 Feb 2020 12:58:09 GMT
ETag: "394a-59f1592c57599"
Accept-Ranges: bytes
Content-Length: 14666
Vary: Accept-Encoding
Content-Type: text/html
Uwe Schindler@VEGA:~ > curl -I http://lucene.staged.apache.org/test?hallo
HTTP/1.1 301 Moved Permanently
Date: Mon, 24 Feb 2020 19:44:03 GMT
Server: Apache
Location: https://lucene.staged.apache.org/test?hallo
Content-Type: text/html; charset=iso-8859-1
{noformat}
I plan to merge this to master quite soon, so please test it! I will keep the
STS header with 300seconds for a while and then raise to one year, if no
complaints are coming.
was (Author: thetaphi):
I committed the following to htaccess.template:
{noformat}
<If "%{HTTPS} == 'on'">
Header always set Strict-Transport-Security "max-age=300"
</If>
<Else>
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</Else>
{noformat}
This is IMHO the most consistent way to express this. There are shorter ways,
but the if/else statements are easier to read:
- If user is on HTTPS, he gets STS header (for testing purposes, limited to
300s)
- If user is on HTTP, he gets redirect to HTTPS (permanent)
{noformat}
Uwe Schindler@VEGA:~ > curl -I https://lucene.staged.apache.org/
HTTP/1.1 200 OK
Date: Mon, 24 Feb 2020 19:40:37 GMT
Server: Apache
Strict-Transport-Security: max-age=300
Last-Modified: Fri, 21 Feb 2020 12:58:09 GMT
ETag: "394a-59f1592c57599"
Accept-Ranges: bytes
Content-Length: 14666
Vary: Accept-Encoding
Content-Type: text/html
Uwe Schindler@VEGA:~ > curl -I http://lucene.staged.apache.org/test?hallo
HTTP/1.1 301 Moved Permanently
Date: Mon, 24 Feb 2020 19:44:03 GMT
Server: Apache
Location: https://lucene.staged.apache.org/test?hallo
Content-Type: text/html; charset=iso-8859-1
{noformat}
I plan to merge this to master quite soon, so please test it! I will keep the
STS header with 300seconds for a while and then raise to one year, if no
complaints are coming.
> Make page ready for pure HTTPS
> ------------------------------
>
> Key: LUCENE-9227
> URL: https://issues.apache.org/jira/browse/LUCENE-9227
> Project: Lucene - Core
> Issue Type: Sub-task
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Priority: Blocker
>
> The web page can currently be visited using HTTPS but this brings warning:
> - Both search providers create a form that passes USER ENTERED INPUT using no
> encryption. This is not allowed due to GDPR. We have to fix this asap. It
> looks like [~otis] search is working with HTTPS (if we change domain name),
> but the Lucidworks does not
> - There were some CSS files loaded with HTTP (fonts from Google - this was
> fixed)
> Once those 2 problems are fixed (I grepped for HTTP and still found many
> links with HTTP, but looks like no images or scripts or css anymore), I'd
> like to add a permanent redirect http://lucene.apache.org/ ->
> https://lucene.apache.org to the htaccess template file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
