To make it easier for us to manage where these domains point to it would be great if the records for the domain explorer.ooni.torproject.org were to point to explorer.ooni.io and the record for ooni.torproject.org pointed to ooni.io.
The most high priority is the update of explorer.ooni.torproject.org as we are launching that today and we still have places where we link to explorer.ooni.torproject.org instead of explorer.ooni.io.
Designs
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related.
Learn more.
Another option, if we don't like having .torproject.org sites running on non-TPA machines, would be to run a tiny webserver as the .torproject.org site, which sends an http-level redirect to the external site?
I mention it because that http redirect is happening now already, just on the remote site.
hellais, do you want an actual CNAME (ie. that the user doesn't know they get redirected to ooni) or a redirect (that the user does end up on ooni.io)?
i do agree that it's unconventional to do those things for us. we usually point *.torproject.net at external resources.
Currently this is already happening though, explorer.ooni.torproject.org being a CNAME to explorer.ooni.io, I mistakenly thought this was not currently the case when opening the ticket, but this is already happening and no change is necessary on this front.
It was done this way specifically to make it easier for us to more independently handle how we serve requests to users hitting out website from the various domains that were distributed.
The website ooni.org & ooni.io & ooni.torproject.org is still running on tpo infrastructure, but we would like to change that to reduce the complexity of having something hosted on system where people need LDAP access to administer it.
Our preference would be that we setup a CNAME record for ooni.torproject.org that points to ooni.io or ooni.org so that we are able to on our own setup a redirect, if desirable, or handle the requests directly by keeping the ooni.torproject.org domain (we probably will do this in the beginning).
would be to run a tiny webserver as the .torproject.org site, which sends an http-level redirect to the external site?
hellais, do you want an actual CNAME (ie. that the user doesn't know they get redirected to ooni) or a redirect (that the user does end up on ooni.io)?
It would be preferable if we could get a CNAME record, so that we can manage how redirects are handled autonomously.
is this domain used by non-HTTP clients?
It's the domain used for our primary website. We don't make any assumption as to what type of client is going to access it. I suppose most modern browsers will do HTTPS.
Another record which is currently setup in a similar fashion is the CNAME for
get.ooni.torproject.org. 3599 IN CNAME get.ooni.io.
To be clear it's not a big problem if the policy WRT to setting up CNAME records has changed, I just need to be aware of it and plan according to it.
This is probably also a good opportunity to do some cleanup of other *.ooni.torproject.org domains as we are trying to simplify our infrastructure and reduce our devops cognitive load by simplifying our infrastructure.
... which outlines the distinction between TPO (torproject.org) and TPN (torproject.net) that weasel was refering to. The problem might not be CNAMEs per se, but pointing to outside stuff.
Another thing is that CNAMEs are not a great way to move stuff around, because they are transparent to clients. An web browser or crawler will not treat a CNAME as "this is now hosted over there", it's just an alias. For those kind of transitions, you want to do a HTTP redirect, that is respond with a 301 (Moved Permanently) or 302 (Found) status code:
Then we can deprecate the *.ooni.tpo namespace and eventually transition to ooni.io cleanly.
This is why I was asking about non-HTTP (and non-HTTPS) clients: those redirections will work only for HTTP clients. If you have people using this over SSH or Git or whatever non-HTTP protocol, those would break of course.
(Sorry if you already know all of this about HTTP status codes vs CNAMEs, but I thought it was useful to get back to the specs to clarify my thoughts.)
we agreed that we'd add a CNAME record and keep the CNAMEs until may 7th 2020, at which point they'd turn into HTTP redirects. we'll do this tomorrow at 1200 EDT (1600 UTC).
Trac: Status: new to assigned Owner: tpa to anarcat
So we looked into this with @anarcat and encountered the following issues:
The current setup has both HSTS and certificate pinning enabled for the ooni.torproject.org website
It is not straightforward to do custom HTTPS changes on the current ooni hosting service (netlify)
Since the maxage for the certificate pinning is set to 60 days we will need to wait for that amount of time before we are able to migrate over.
In the meantime @anarcat is going to see how to disable the certificate pinning headers from the ooni.torproject.org host config, so that we can begin waiting the 60 days after which we can proceed with the CNAME plan as mentioned above.
i have disabled certificate pinning on ooni.torproject.org around 15 minutes ago. it should therefore expire in 60 days exactly, which is about on saturday november 16th at 19:30UTC. assuming we don't want to do this transition on a saturday, we should probably look into this again on november 18th.
I had marked on my calendar Nov 18th as the date we can do the migrateion
@hellais, are you around next week? should we carry on the plan as expected?
Yes I am going to be around and let's proceed as planned with doing the migration on Nov 18th. Does that work for you?
where should the CNAME point to? ooni.org? `www.ooni.org?
The CNAME should point to ooni.org and in theory that would work with out netlify based host. I don't think I have ever done this, though, so it's useful if we are both online to coordinate on this in realtime.
I am going to be mostly online on Nov 18th from ~10:00 UTC - 18:00 UTC. Should we try to meet online at around 16:00 UTC?
finally, i need to do documentation and we need to decide if/when we do HTTP redirects instead of CNAMEs here to finalize this transition. but i guess that OONI can do those redirects themselves, when they want to as well...
the only thing remaining is to remove the user/group, and the actual files on staticiforme (and mirrors?)
@hellais, can i remove the actual site? how about the users? shouldn't i be removing users that were created just for the purpose of managing this website?
@hellais, can i remove the actual site? how about the users? shouldn't i be removing users that were created just for the purpose of managing this website?
Yes go ahead and remove the actual site and the user (I assume you mean the ooni user, are there others?).
no, i also mean the actual users that have ooni as a group. those are:
art
aagbsn
andz
darkk
agrabeli
I assume at least some of them should keep their accesses, but I was wondering if some were created just for the purpose of updating the website and should be removed...
it turns out locking out those users was probably a mistake, as some if not all of them are still on tor-internal. my mistake. i have restored their accesses, although I have lost their passwords for now. i'm looking in the backups to see if i can restore those hashes as well. what i specifically did was:
restore keyFingerPrint (based on the account-keyring git repo)
delete accountStatus
delete shadowExpire
remove the ooni group membership from all users
I'm trying to see if i can coerce our backup system to give us a view on those old hashes now.