This site is an archive; learn more about 8 years of OpenHatch.

[Devel] Moving the site to https (I just did it, but, um, should we really keep it this way?)

Asheesh Laroia asheesh at openhatch.org
Thu Dec 3 05:36:32 UTC 2009 

A problem:

When you go to https://openhatch.org/, you get a website that isn't 
openhatch.org. You get our fruity CRM thing (which we want to stop using 
anyway).

	An obvious solution:

		Make the https site have the same configuration as the
		main site.

	Downside:

		Apache will run the Python processes twice. This doubles
		the memory load on the server, and we discovered before
		that it can't take it.

	A second, similar obvious solution:

		Use mod_proxy. Apache has a built-in system for 
		"proxying" HTTP requests. This means, whenever someone
		hits https://openhatch.org/, the *web server* on the 
		linode *itself* does a GET of http://openhatch.org/, and
		returns that page to the person who asked for https.

	A different downside:

		Now when Django sees a request, it only ever sees a 
		request as given to it by the *web server*, not a real
		client. This means everyone's IP address is 127.0.0.1.

		That's pretty broken. It can be worked-around (there's
		a header called X-Forwarded-For) but it requires 
		fiddling and no one's ever too happy relying on that
		header.

	The solution I've come up with:

		Migrate everyone to https://openhatch.org/. That way,
		we can mumble things about "protecting our users' 
		privacy". (Note that ohloh.net does this, too, and a few
		other sites (Launchpad I think?) also do.)

		Also, it's easy to configure and doesn't cause extra 
		load. It also eliminates the confusion where /bugs/ is
		on https (because it uses passwords) but / is not.

		"Migrate everyone" is implemented as "Requests to 
		http://openhatch.org/ cause a redirect to 
		https://openhatch.org/".

	The downside:

		Not much, really. Possibly a few random internal links
		will link to http://openhatch.org/something/ and they
		will cause the user redirects.

		Also, SSL negotiation will necessarily cause a few
		extra round-trips. That will increase latency, I'm 
		afraid, which is experienced as slightly higher 
		page-load times.

Raffi, if you're okay with this "everyone on https", then I should 
change our Apache confguration so it's a "RedirectPermanent" not a 
"Redirect". That way, search engines will update their canonical URLs.

-- Asheesh.

-- 
Good day for overcoming obstacles.  Try a steeplechase.

More information about the Devel mailing list