Skip to content

SSL and HTTP 2 plans

Jump to bottom
Jason Fesler edited this page Aug 5, 2021 · 9 revisions

HTTPS required.

For a consistent experience across all mirror sites, HTTPS is now required. With LetsEncrypt.com providing free certificates, there is no excuse not to deploy it.

Adding HTTPS to your mirror

The falling-sky code now understands HTTPS. If you add HTTPS certificates to your mirror, it should work.

  • Please make sure you get all of your names:
    • test-ipv6.example.com
    • ipv4.test-ipv6.example.com
    • ipv6.test-ipv6.example.com
    • ds.test-ipv6.example.com
    • mtu1280.test-ipv6.example.com
    • ds.v6ns.test-ipv6.example.com
  • Please do not force HTTPs. See https://test-ipv6.com/faq_https for more information.
  • Your users, when visiting with HTTP, will be told about HTTPS (if it works), along with the same link above explaining the differences.

Please tell me, jfesler@test-ipv6.com, about it - so I can update you I the mirrors list. Until then, your mirror will be missing on the mirrors list for https users (As of this writing, about half the mirrors are now HTTPS enabled).

Making the LetsEncrypt process work for test-ipv6.com

This explains how I'm handling the LetsEncrypt challenge, for mirrors answering as "test-ipv6.com".

  • Mirrors will redirect the LetsEncrypt ACME challenge path, back to my server.
  • I will generate requests for my domains; as well as for test-ipv6.example.com.
  • I will periodically update certificates, and push the certificates+keys to each appropriate server
  • I will configure Apache HTTPD for each certificate; and restart Apache.

To do the above, I realistically need to "own" the VM in question. This means I have had to give up a few mirrors, due to not being able to get ssh/sudo access and permission to make changes.

As of August 2021, I am unable to add additional transparent mirrors. My work/life load is too high at the moment to take on additional mirrors. If you feel strongly that another transparent mirror is needed in your part of the world, you can still ask - but most of the world has great coverage now, outside of China.

HTTP/2 and other future work

As it turns out, the connection coalescing features of HTTP/2 make it incompatible for this project. We need distinct connections on every request, even if the IP is the same and the cert is the same.

Clone this wiki locally