On Fri, 18 Sep 2020 at 02:08, James Paige <b...@hamsterrepublic.com> wrote:
> I would be happy to disable http completely, and always redirect http to > https. > > People who have an OS so old that it can't support https are welcome to > open a web browser on a separate device. > > I don't actually know how to do this just for the login page. I think I > remember an option in the dreamhost config panel to do this for the whole > site, but I would have to hunt for it. > > A *MUCH* bigger security concern is that I can't upgrade Mediawiki > anymore. It has been years since running "git pull" on a large repo in a > shell script on a dreamhost shared account was a viable option. > Is the reason that you're using git to download mediawiki versions because you use git to merge your local changes? Are those local changes just in LocalSettings.php? If it's just a couple files, it seems practical to write a small shell script to download a tarball and do an interactive merge of those couple files using sdiff. > I had a clunky workaround where I would rsync the whole thing locally, > upgrade it, rsync it back up to dreamhost, and then run the last stage of > the upgrade. > > I am always terrified that I will break the whole thing every time I do > that, but maybe I will give it a try today since I happen to be on a > vacation day and have time. > > I would really like to move the whole wiki to a place where the upgrades > were automatically managed for me. I haven't had time to look into that (in > years) > > On Thu, Sep 17, 2020 at 9:57 AM Adam Perry <arpe...@gmail.com> wrote: > >> It is not a good idea to have an HTTP login page. Your credentials are >> sent in plain text when you log in via HTTP. >> >> I realize that the OHR wiki isn't the most high-profile target for >> hackers, but it's still a bad idea. We don't need to allow wiki editing to >> everyone able to use the engine if it means compromising security. >> >> >> On Wed, Sep 16, 2020, 8:45 PM Ralph Versteegen <teeem...@gmail.com> >> wrote: >> >>> Holly reported, and I can confirm, that you can't log into the wiki, or >>> create an account, when accessing it over HTTP instead of HTTPS. (I think I >>> remember seeing this already quite a while ago.) You get the following >>> message: >>> >>> "There seems to be a problem with your login session; this action has >>> been canceled as a precaution against session hijacking. Please resubmit >>> the form." >>> >>> It is nice to be able to access the wiki via HTTP, since HTTPS is >>> inaccessible from ancient OSes such as some of those we support. If the >>> login page could redirect from HTTP to HTTPS... >>> >>> Hmm, maybe I should file such things on github instead... >>> _______________________________________________ >>> Ohrrpgce mailing list >>> ohrrpgce@lists.motherhamster.org >>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >>> >> _______________________________________________ >> Ohrrpgce mailing list >> ohrrpgce@lists.motherhamster.org >> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >> > _______________________________________________ > Ohrrpgce mailing list > ohrrpgce@lists.motherhamster.org > http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >
_______________________________________________ Ohrrpgce mailing list ohrrpgce@lists.motherhamster.org http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org