Use HTTPS
fuzzyroddis opened this issue ยท 15 comments
You missed further discussion over in the Homebrew repo. This was possible for a while (I set up a test page using an identical setup to the Homebrew homepage) but Cloudflare seemingly later moved to block it and it no longer functioned.
We contacted them to check and were told SSL on GitHub Pages using a custom domain was a dead end at the present time.
At last check that hadn't changed.
That's a shame! How long did it take till it was blocked?
I have a copy of brew.sh working here https://uow.ninja
@fuzzyroddis The issue isn't setting up CloudFlare but the interaction between setting up CloudFlare and the other services on brew.sh (managed by DNSimple). I'd still like to try and get this working.
Cloudflare will take over DNS, will this be problematic?
GitHub has declared the test account I used for https://uow.ninja as "not human" so that's why it isn't working but Cloudflare seems to be ok with it :)
I use this:
CNAME
uow.ninja is an alias of testydvek.github.io (Cloudflare)
CNAME
www is an alias of testydvek.uow.ninja (Cloudflare)
I'd love to help get this up and running
Cloudflare will take over DNS, will this be problematic?
Yes, we have stuff on bot.brew.sh and email addresses we need to use.
Does DNSSimple offer provide a service that is specific to them that you require?
On the test domain I setup dns records that match that of brew.sh
Brew.sh
https://toolbox.googleapps.com/apps/dig/#A/bot.brew.sh
https://toolbox.googleapps.com/apps/dig/#MX/brew.sh
uow.ninja
https://toolbox.googleapps.com/apps/dig/#A/bot.uow.ninja
https://toolbox.googleapps.com/apps/dig/#MX/uow.ninja
The grey cloud with an arrow going over it icon
Indicates it is not proxied by Cloudflare and so it's traffic goes directly to your host and will work just like it did before.
According to https://support.dnsimple.com/articles/cloudflare-service/#universal-ssl-limitations
You'll need to change your name servers to Cloudflare's to use Universal HTTPS.
Here is my setup on Cloudflare.
Sorry for the late response I've sadly been really busy. Happy to help make this happen though!
I need to try and figure this out at some point.
Thanks ๐
Please do try and figure this out. It only takes one network rule by a hacked router or malicious ISP to rewrite brew.sh's delivered cURL command to pull from a malicious URL that users won't notice (e.g. some variant of raw.githubusercontent.com), with a script that's identical up to the point that the user types in their password for sudo access, and then owns their machine.
And users will, rightly, blame Homebrew for the attack -- if they ever learn that they were attacked at all.
The desire to get brew.sh covered with SSL/TLS is mutual. This isn't being ignored, even if public activity on getting there appears that way.
That's awesome to hear, thank you. ๐
DNSimple has a private beta of Let's Encrypt. Not sure if that would be useful or not.
In case you are not aware: Firebase by Google provides free plan to host static website, and automatically provision SSL for custom domain.
Also, here's the pricing page for Firebase; I'm not sure we'd qualify for the free tier:
Fixed by using Netlify which made this all pretty easy.