On Tue, 2019-04-02 at 12:02 +0000, dragon@peerfreedom.org wrote: > and even archive.org has archives of it, on the https URL: > > http://archive.is/MahaH (and many more) The URL you quoted explicitly says http not https for security.d.o. BTW, archive.org and archive.is/fo/today are unrelated projects. > I got tests from friends both on ipv4 and ipv6, it resolves and connects to: > > 217.196.149.233 > > and > > 2a02:16a8:dc41:100::233 The security.debian.org domain resolves to a different IP address depending on the GeoIP region you are doing DNS queries from. https://salsa.debian.org/dsa-team/mirror/auto-dns/blob/master/zones/security.debian.org.zone The IP address you mention is used by the server schmelzer.d.o. I had a bit of a poke around on there and https is being used for this: https://syncproxy4.eu.debian.org/ I note that other servers (eg mirror-anu.d.o) are also syncproxies and also some of them host www.d.o and other static sites. Each https hostname is on one of several IP addresses but we have the web servers listening on all IP addresses for https. So to not have the web server listen on security.d.o, we would have to not put it on any of the IPs used by other services and then tell the web server to listen for https only on the IPs used by other services. So closing the port is going to be quite complicated. Adding https to security.d.o (which we would need in order to redirect) I'm even less sure of how to do since there is also apt to think about. I expect this might get tackled once the Fastly CDN finishes their https beta and deb.d.o gets https support. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part