On 25/02/2020 20:45, Christopher Schultz wrote: > Mark, > > On 2/25/20 14:34, Mark Thomas wrote: >> On 25/02/2020 15:53, Felix Schumacher wrote: >>> Hi all, >>> >>> as more and more browsers are marking http as unsecure, we >>> should redirect all http requests to tomcat.apache.org to https. > >> I really don't like this. > >> I'm happy to support https for those people that want to use it but >> I see no need to require https for everybody for >> tomcat.apache.org. > >> We should not be dictating to our users what security / privacy / >> caching / performance / etc. trade-offs are appropriate for them. >> We should support as many options as possible and let our users >> decided. > >> I'm not quite -1 on this but I am close. > > https://www.troyhunt.com/heres-why-your-static-website-needs-https/
Sorry, not convinced. We need to let users make this choice. The numbers are significant. tomcat.apache.org from China can be significantly slower over https compared to http. Typically 2 to 3 times slower in my testing with https://www.websitepulse.com/tools/china-firewall-test# 3.5s to 8s to load the index page over https compared to ~1.5s over http. That said, I didn't repeat the test enough for those results to be considered statistically reliable. Not everyone has a low latency, high bandwidth connection to the internet. We need to let the users decide if they want to pay the performance penalty for the benefits of https or not. We should not be assuming we know best for everyone. Mark > > -chris > >>> We can enable that by adding a rewrite rule to the .htaccess file >>> in the xdocs folder of our site repo. >>> >>> For JMeter we used the following fragment: >>> >>> RewriteEngine On >>> >>> # Redirect http to https # From Cordova PMC Member raphinesse # >>> https://s.apache.org/An8s >>> >>> # If we receive a forwarded http request from a proxy... >>> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR] >>> >>> # ...or just a plain old http request directly from the client >>> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS} >>> !=on >>> >>> # Redirect to https version RewriteRule ^ >>> https://%{HTTP_HOST}%{REQUEST_URI} [L] >>> >>> Anything against adding this to our .htaccess file? > > >>> >>> Felix >>> >>> >>> --------------------------------------------------------------------- >>> >>> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> > > >> --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
