Re: Re: HTTPS for Debian archive mirrors, and CAA
> 在 2017年9月18日星期一 CST 下午6:01:19，Julien Cristau 写道：
> > Hi,
> > the debian mirrors team needs to be able to point the
> > ftp.<CC>.debian.org aliases at different backends based on their status.
> > As such, the only service that is guaranteed to be available at these
> > names is HTTP. Offering HTTPS on these names means breakage whenever
> > they are pointed at a different mirror.
> > Accordingly, we have set CAA records (RFC 6844) on the <CC>.debian.org
> > domains to disallow any certificate issuance, and we'd like to ask
> > mirror operators who were offering HTTPS under these names to stop doing
> > so. They are of course free to continue offering the service under a
> > non-debian.org domain name.
> > Thanks,
> > Julien
> Sorry to hear that. That essentially means that all ftp*.*.debian.org domains
> will no longer be available via HTTPS.
> The necessity of setting up https-enabled mirror sites has been discussed
> several times before and there's no need to repeat it again here. Removing
> such ability from ftp*.*.debian.org is a step backward, unfortunately.
> P.S. I am aware that deb.debian.org provides https access. However, such CDN
> service is not working well in certain areas of the world, e.g., China
> Boyuan Yang
Also sorry to hear that. I hold the same view that it is necessary to
utilize https to prevent buggy ISP cache.
BTW, I've learned that you are now pointing ftp.<CC>.debian.org aliases at
different backends. Could you give a detailed information about that so that
the backends can be configured properly. For example, on our server, which
is serving ftp2.cn.debian.org, requests with unknown "Host:" header will be
rejected due to security issues, i.e. if you point ftp.xx.debian.org to
our server without notice in advance, requests pointing to that domain name
will be silently disconnected. I guess configuring *.*.debian.org would work and
I wonder if you have any guides about it.