https for lists.dune-project.org

This issue is for tracking the migration of http://lists.dune-project.org to https://lists.dune-project.org

It is under infrastructure, since the dune-lists-doc repository is internal.

TODOs:

• Document setup in dune-lists-doc
• Enable automatic certificate renewal
• Enable permanent redirect to https (done, see also dune-lists-doc!4)
• Fix dune-website to directly point to the https version (see #52 (closed), dune-website!144 (merged))
• Fix internal mailman stuff to point to the https version (including list footers and Lists-* headers and more)
• Consider enabling HSTS, a.k.a. if https ever worked, lets assume it'll always work (1 month: dune-lists-doc!5)

Certificate renewal was actually enabled automatically. #51 (closed) is a reminder for me to check that it actually works.

For the permanent redirect to https, the /.well-known/acme-challenge/ directory must be excluded, as the ACME standard states:

8.3. HTTP Challenge

[...]

Because many web servers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be completed over HTTP, not HTTPS.

Let's Encrypt does follow http -> https redirects, even redirects to other domains. It's only important that the initial request goes out via http.

Ah, thanks, that should simplify things.

The internal mailman stuff should be converted. I verified this with the following exceptions:

• The list archive points back to the http-URL of the list information. I believe that will fix itself once the next message is archived, but that needs verification. (Looks good as of 2018-10-01)
• I believe the headers included in sent mails are fixed, but again, that needs checking.

Maybe I should crawl lists.dune-project.org looking for http://lists.dune-project.org-urls just to find stragglers. Although that might turn up quite a few urls in the contents of mails, which I want to preserve as they are.

Uh, the archiver will only touch the html-files it absolutely needs to touch to archive a new mail. That means I need to fix all the existing files manually. Unfortunately I cannot simply regenerate the archives, since some mails are missing from them due to spam cleaning, thus regenerating would change archive links.

Hmm. The actual mail content is delimited by <!--beginarticle--> and <!--endarticle--> blocks in the .html-files, and it is pretty straightforward to only fix urls outside of that. But: when converting multi-part mails, the archiver will put attachments into extra files and link to them, and those links will also appear within the actual content.

I had another look at regeneration, the idea being to insert dummy mails in the archives in places where spam has been removed. But it is apparently much worse, since the initial archive has been generated some 25 years ago when mailman and pipermail were quite different. Meaning: also the content of the mails will change a lot, including for some mails whether attachements are extracted into their own files or presented inline. I guess I'm just going to convert everything that looks like http://lists.dune-project.org to https://...

We can so the archive-breaking conversion once we switch to a new archiver alltogether. Mailman 3 is in backports...

The list archives have been converted. While at it, I also fixed the old flyspray links to point to the flyspray issues imported into gitlab, see e.g. https://lists.dune-project.org/pipermail/dune/2005-September/000958.html. Only the autogenerated href= part in the html has been converted, the visible part has not been touched in such cases.

The http host now redirects to the https host. At the moment is is a temporary redirect, if that does not cause any problems, the permanent redirect would be

Redirect permanent / https://lists.dune-project.org/

in /etc/apache2/sites-available/000-default.conf.

HSTS is now enabled with a timeout of 5min.

HSTS timeout has been cranked up to one week.