Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently #137

Closed
wants to merge 1 commit into from
Closed

For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently #137

wants to merge 1 commit into from

Conversation

mavit
Copy link
Contributor

@mavit mavit commented Apr 3, 2021

Applies to the modern configuration only.

Relates to #117.

@mavit
For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently
ba8fe2e 
Applies to the modern configuration only.

Relates to mozilla#117.
@gene1wood gene1wood self-requested a review April 5, 2021 15:19
gstrauss added a commit to gstrauss/ssl-config-generator that referenced this pull request Apr 5, 2021
@gstrauss
lighttpd: prefer 308 to 301 for HTTP redirection
2b4c57b 
x-ref:
  "308 Permanent Redirect"
  mozilla#117
  "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently"
  mozilla#137
@gstrauss gstrauss mentioned this pull request Apr 5, 2021
Closed
@gstrauss gstrauss mentioned this pull request Oct 29, 2021
Merged
@gstrauss gstrauss mentioned this pull request Jun 8, 2022
Merged
gstrauss added a commit to gstrauss/ssl-config-generator that referenced this pull request Sep 18, 2022
@gstrauss
lighttpd: prefer 308 to 301 for HTTP redirection
9835264 
x-ref:
  "308 Permanent Redirect"
  mozilla#117
  "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently"
  mozilla#137
@gstrauss gstrauss mentioned this pull request Sep 18, 2022
Merged
@janbrasna janbrasna mentioned this pull request Jan 4, 2024
Merged
gstrauss added a commit to gstrauss/ssl-config-generator that referenced this pull request Mar 14, 2024
@gstrauss
lighttpd: prefer 308 to 301 for HTTP redirection
1650e3c 
x-ref:
  "308 Permanent Redirect"
  mozilla#117
  "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently"
  mozilla#137
@gstrauss gstrauss mentioned this pull request Mar 14, 2024
Open
@janbrasna janbrasna added blocked Something has to happen first elsewhere specs This involves changes in recommendations labels Oct 5, 2024
@gstrauss
Copy link
Collaborator

lighttpd mod_redirect in lighttpd 1.4.75 and later takes a more nuanced approach by default and uses 301 Moved Permanently for all GET/HEAD requests or for HTTP/1.0 requests with other HTTP methods. For HTTP/1.1 or later, lighttpd mod_redirect uses 308 Permanent Redirect for HTTP methods which are not GET/HEAD.

The Hypertext Transfer Protocol Status Code 308 (Permanent Redirect) https://www.rfc-editor.org/rfc/rfc7238
was published June 2014, over 10 years ago.

For redirection involving HSTS, all clear-text http requests are redirected unconditionally to https.

Absent HTTP version support similar to what is in lighttpd 1.4.75, 308 Permanent Redirect should be used for all HSTS redirects, as that is the proper behavior for methods which are not GET/HEAD. If a small number of end-users encounter problems with this recommended setting with specific old clients, then that small number of end-users can adjust the configs to use 301 instead of 308, and trade-off HSTS redirecting all HTTP methods other than GET/HEAD to HTTP GET method to the https location.

@gstrauss
Copy link
Collaborator

@janbrasna you added a label that this change is blocked by the spec. I understand that the implementation in this PR modifies the guidelines to add the permanent redirect code to the spec, but I do not think we should implement it that way.

If, in the future, we generate older versions of the site, we should do so from source control, or source control snapshots of the site generated at certain tags. We are not currently testing that the current site including templates works with all prior versions of the guidelines, are we? I don't see the utility of doing so.

@gstrauss
Copy link
Collaborator

@mavit thank you for the PR. As I am sure you understand, this PR from 2021 is somewhat stale.

Recent changes to the code added output.hstsRedirectCode, which is currently hard-coded to 301. If in the future we use 308, that is what will change.

As we recently opened a discussion for updating the guidelines, I am also proposing using 308 for ssl-config-generator HSTS unconditional HTTP redirect from http:// to https://. That may or may not be part of the guidelines, but definitely won't be part of guideline v5.6 modified by this PR, so I am going to close this PR. We'll make changes pending the outcome of the discussions in #117.

Again, thank you for making the effort to submit this patch!

@gstrauss gstrauss closed this Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gene1wood gene1wood Awaiting requested review from gene1wood

Assignees
No one assigned
Labels
blocked Something has to happen first elsewhere specs This involves changes in recommendations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mavit @gstrauss @janbrasna