-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(nginx): updated nodejs.org configuration #3139
Conversation
cc @richardlau |
@UlisesGascon could you also give an eye here 👀 |
I've deployed this onto the server. I'm not feeling too well this week, so if anything looks wrong with these changes I'm likely to just back them out rather than try to troubleshoot. |
This appears to now redirecting |
default_type text/plain; | ||
} | ||
|
||
location /.well-known/security.txt { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This no longer works/is being served
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file doesn't really exist. This rewrite can probably be deleted as this file is not being served anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It did in that location before, and is now located https://github.com/nodejs/nodejs.org/blob/main/public/security.txt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I think you're confusing things. There was never a well-known/security.txt (https://github.com/nodejs/nodejs.org/tree/fb666ed663e4d0511beced38cf9505a688bde898/static) (ref before next migration).
Or are you trying to say that /.well-known/security.txt should redirect to /security.txt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I see what you're talking about. Let me make a PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This redirect was serving the file in static/security.txt
through the .well-known
address, which is per it's spec https://securitytxt.org/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This redirect was serving the file in static/security.txt through the .well-known address, which is per it's spec securitytxt.org
Aware of that spec, my bad, I just switched these two 👀
I don't see any configuration for unecrypted.nodejs.org. (Whatever that was, it was not changed) |
There wasn't a specific config, but there wasn't a global HTTP to HTTPS rewrite rule before, which supported that old endpoint |
Is there any reason we should support unencrypted.nodejs.org? There wasn't a global rewrite, yes, but pretty much all the "meaningful" routes were being redirected to https. Which made sense to do a global redirect. |
It is there to support clients like NVM that need it for old platforms I believe, but maybe @ljharb can confirm. |
Then it is working fine. Because it will not redirect for the /dist stuff :) |
No, it is breaking the dist
|
@nschonni that's not how the unencrypted.nodejs.org apparentlya works. This is a valid URL If you |
Also |
There was some discussion in #2857 about unencrypted.nodejs.org, where we enabled HSTS. |
unless http traffic redirects to unencrypted, nvm doesn’t use it. That said, it still seems important to preserve an http escape hatch. |
For a long time http://unencrypted.nodejs.org's landing page had a warning that it was to be sunset on 1 January 2022 (last year). #2857 (comment). My opinion is that it's not worth spending time resurrecting it. |
If it was supposed to be sunset them we should sunset it 🤔 |
This PR introduces several Nginx changes that simplify the current configuration and fix current bugs.
Configuration changes
server
blocks for redirectsreturn 301 rule
@todo
's for the upcoming Next.js rewrite of nodejs.org