Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99959 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29392 invoked from network); 20 Jul 2017 04:00:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jul 2017 04:00:26 -0000 Authentication-Results: pb1.pair.com header.from=php-lists@koalephant.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=php-lists@koalephant.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain koalephant.com designates 206.123.115.54 as permitted sender) X-PHP-List-Original-Sender: php-lists@koalephant.com X-Host-Fingerprint: 206.123.115.54 mail1.25mail.st Received: from [206.123.115.54] ([206.123.115.54:36140] helo=mail1.25mail.st) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 80/92-02884-FCA20795 for ; Thu, 20 Jul 2017 00:00:23 -0400 Received: from [10.0.1.4] (unknown [49.48.245.133]) by mail1.25mail.st (Postfix) with ESMTPSA id 1AE9060493; Thu, 20 Jul 2017 03:59:54 +0000 (UTC) Content-Type: multipart/alternative; boundary=Apple-Mail-A77A4F9D-A653-45AC-948E-078775B7E6CC Mime-Version: 1.0 (1.0) X-Mailer: iPhone Mail (14F89) In-Reply-To: Date: Thu, 20 Jul 2017 10:59:49 +0700 Cc: Niklas Keller , Sara Golemon , Mathias Grimm , "internals@lists.php.net" Content-Transfer-Encoding: 7bit Message-ID: References: To: Rasmus Lerdorf Subject: Re: [PHP-DEV] php.net website From: php-lists@koalephant.com (Stephen Reay) --Apple-Mail-A77A4F9D-A653-45AC-948E-078775B7E6CC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable > On 20 Jul 2017, at 07:40, Rasmus Lerdorf wrote: >=20 >> On Wed, Jul 19, 2017 at 1:42 PM, Niklas Keller wrote: >>=20 >>=20 >> We should really change that and fully move to HTTPS. >>=20 >=20 > I have looked at various ways of doing this, but it isn't trivial and it > has absolutely nothing to do with the actual html and slapping in some > https links instead of http. The problem here is that we have external > volunteers running all our mirrors and we do geo-dns for www.php.net to > your geographically close mirror site. Putting the private key for > www.php.net on dozens of servers around the world we don't control is a > non-starter. >=20 > One way that I played with was to use letsencrypt and have each mirror > request an ssl cert for their local mirror, ca1.php.net, for example, and > include a CN alias for www.php.net in that request. Then we would run > domain a validation gateway/proxy on www.php.net which would validate thes= e > requests on behalf of the mirrors. But there are some security issues with= > this approach that I haven't quite thought through. I would love to hear > suggestions for perhaps a simpler solution to this problem that doesn't > require pasting our private key all over the internet. >=20 > -Rasmus Hey Rasmus, Does it need to be geo-dns, or could it instead be "geo-http" - a small numb= er of servers responding to (www.)?php.net, which then respond with http red= irects based on client ip. This is similar to how Debians "new" mirror servi= ce works for apt repos. I know it would be very nice to have the URLs stay as php.net (no CCn. Prefi= x) but anything else simple is going to involve tls certs for the base domai= n on servers the project doesn't control.=20 The only other option I can see, would be to use "keyless" tls. It's describ= ed pretty well by CF here: https://www.cloudflare.com/ssl/keyless-ssl/ Unfortunately I don't know that cf have open sourced their nginx&openssl pat= ches to make them talk to a remote key server. Happy to discuss this further if I can help. Cheers Stephen=20= --Apple-Mail-A77A4F9D-A653-45AC-948E-078775B7E6CC--