[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: HTTPS for Debian archive mirrors, and CAA

> 在 2017年9月18日星期一 CST 下午6:01:19,Julien Cristau 写道:
> > Hi,
> > 
> > the debian mirrors team needs to be able to point the
> > ftp.<CC>.debian.org aliases at different backends based on their status.
> > As such, the only service that is guaranteed to be available at these
> > names is HTTP.  Offering HTTPS on these names means breakage whenever
> > they are pointed at a different mirror.
> > 
> > Accordingly, we have set CAA records (RFC 6844) on the <CC>.debian.org
> > domains to disallow any certificate issuance, and we'd like to ask
> > mirror operators who were offering HTTPS under these names to stop doing
> > so.  They are of course free to continue offering the service under a
> > non-debian.org domain name.
> > 
> > Thanks,
> > Julien
> Sorry to hear that. That essentially means that all ftp*.*.debian.org domains 
> will no longer be available via HTTPS.
> The necessity of setting up https-enabled mirror sites has been discussed 
> several times before and there's no need to repeat it again here. Removing 
> such ability from ftp*.*.debian.org is a step backward, unfortunately.
> P.S. I am aware that deb.debian.org provides https access. However, such CDN 
> service is not working well in certain areas of the world, e.g., China 
> mainland.
> Regards,
> Boyuan Yang

Also sorry to hear that. I hold the same view that it is necessary to
utilize https to prevent buggy ISP cache.

BTW, I've learned that you are now pointing ftp.<CC>.debian.org aliases at 
different backends. Could you give a detailed information about that so that 
the backends can be configured properly. For example, on our server, which 
is serving ftp2.cn.debian.org, requests with unknown "Host:" header will be
rejected due to security issues, i.e. if you point ftp.xx.debian.org to 
our server without notice in advance, requests pointing to that domain name
will be silently disconnected. I guess configuring *.*.debian.org would work and
I wonder if you have any guides about it.

Reply to: