+1 with some light (1 month?) notice time in case anyone uses http directly intentionally, will avoid some security breaches http can get, in particular on subdomains.
Le mar. 25 févr. 2020 à 21:45, Christopher Schultz < ch...@christopherschultz.net> a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark, > > On 2/25/20 14:34, Mark Thomas wrote: > > On 25/02/2020 15:53, Felix Schumacher wrote: > >> Hi all, > >> > >> as more and more browsers are marking http as unsecure, we > >> should redirect all http requests to tomcat.apache.org to https. > > > > I really don't like this. > > > > I'm happy to support https for those people that want to use it but > > I see no need to require https for everybody for > > tomcat.apache.org. > > > > We should not be dictating to our users what security / privacy / > > caching / performance / etc. trade-offs are appropriate for them. > > We should support as many options as possible and let our users > > decided. > > > > I'm not quite -1 on this but I am close. > > https://www.troyhunt.com/heres-why-your-static-website-needs-https/ > > - -chris > > >> We can enable that by adding a rewrite rule to the .htaccess file > >> in the xdocs folder of our site repo. > >> > >> For JMeter we used the following fragment: > >> > >> RewriteEngine On > >> > >> # Redirect http to https # From Cordova PMC Member raphinesse # > >> https://s.apache.org/An8s > >> > >> # If we receive a forwarded http request from a proxy... > >> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR] > >> > >> # ...or just a plain old http request directly from the client > >> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS} > >> !=on > >> > >> # Redirect to https version RewriteRule ^ > >> https://%{HTTP_HOST}%{REQUEST_URI} [L] > >> > >> Anything against adding this to our .htaccess file? > > > > > >> > >> Felix > >> > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > >> > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vh3kACgkQHPApP6U8 > pFgktRAAh34aN6pyZaMz2n/Bha81mbNjglrMcxkrEswqMCJM0/8Wbw8hgB+3JArQ > dfIYipA2KTtjEzRgGU74qGcvDnEpTcoWi+csvmU7nwExt2RClmMF/5KqvYi67QZZ > l0klgHATRjNPrPOkvZy8Op0fFS6/bnXzvESS/lusz6aLrqiXRxqDVyDgCiBxzrXr > m2VLdE/re1CyFzcNcNmHUAUNs37/0E2WB1d11OvblE3I9eRb1Vk+FHtsfkDmNEoX > 0RE7sQlr12ElMQ3OYOHsErxrxgTD2J/+CXqbMra8sWQ4pgEZPMX/7k5bGyr3IpTh > sOiSR9KNShfJtjKXp2ngJJKbEgDpr4SOYAh5FwGyUKmxflw+nqbc/Zd5bA6H4GNH > 27p0Ec2ArCSDM4vlIeYbtBo8xqAuq2ArVywyUVrWog4mk0Hita2OHnp6Y8CFcZwR > hVv2fuFzd9/zueHG1TvLpB86Mr40MS8j2OelAACixECkV8CAo+64hXLLELgl5XXd > wu6J60tKXXgTlcQcoa0h9nm27D3YKLBUnH6CuOxjUGxVHwH6Bmc2OdR5l+FRNHkl > 35MEkqCXThXc62/G/sBW4/Kd7bF/A0wYXT8dKYb6p/s4GXZ9yM3sgjQr9N/b0sP0 > RukK+6i6vgtsY7xf8eSVtUAgYNyV4ndxpQyYBiyRHVh06nfGgHQ= > =qS1l > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
