Support https

[asmeurer]

GitHub is apparently supporting https for custom domains now. The enforce checkbox can be checked, although for me it doesn't actually do anything (it still allows http).

For SymPy, https://www.sympy.org/ gives mixed content warnings because of several http resources:

Mixed Content: The page at 'https://www.sympy.org/en/index.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans:300,400,700|Gentium+Basic'. This request has been blocked; the content must be served over HTTPS.
index.html:109 Mixed Content: The page at 'https://www.sympy.org/en/index.html' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://www.sympygamma.com/input/'. This endpoint should be made available over a secure connection.
cb=gapi.loaded_0:221 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://accounts.google.com') does not match the recipient window's origin ('https://www.sympy.org').
(anonymous) @ cb=gapi.loaded_0:221
index.html:1 Mixed Content: The page at 'https://www.sympy.org/en/index.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans:300,400,700|Gentium+Basic'. This request has been blocked; the content must be served over HTTPS.

These should be easy enough to fix. We should also fix the other sites (sympy docs, sympy gamma, and sympy live).

[asmeurer]

SymPy Live and SymPy Gamma aren't served over GitHub pages, so that would be a separate thing to fix (they don't presently work over https at all).

[normalhuman]

Also, docs.sympy.org loads several stylesheets from live.sympy.org. I don't see why; when the stylesheets get blocked by the browser, the pages look as they normally do.

As far as docs.sympy.org is concerned, the main issue is the outdated MathJax link, besides being http it points to a long-retired CDN. I'll try to correct this when I manage to clone sympy_doc, which turned out to be quite a heavy repo to clone.

[asmeurer]

It might be possible to have https on live as well. We need to look into it.

[asmeurer]

Looking into https for SymPy Live and SymPy Gamma. It looks like Google provides a certificate (https://cloud.google.com/appengine/docs/standard/python/securing-custom-domains-with-ssl), but we have to set up the custom domains.

It looks like live.sympy.org and gamma.sympy.org are not registered in the Google Cloud dashboard. www.sympygamma.com is registered, but it doesn't let me modify it (it says I don't own it).

@certik do you still have admin access to these domains, or will we need to fix this through NumFOCUS?

Here is the relevant dashboard page https://console.cloud.google.com/appengine/settings/domains?project=sympy-gamma-hrd&serviceId=default (and https://console.cloud.google.com/appengine/settings?project=sympy-live-hrd&serviceId=default for SymPy Live)

[asmeurer]

OK, now HTTPS works and is required for SymPy Live and SymPy Gamma, and it works for sympy.org (sympy/sympy_gamma#111).

One final problem, is that https://sympy.org gives an invalid cert error (as opposed to https://www.sympy.org). I don't know if it can be fixed.

[asmeurer]

Anyway, I went ahead and checked the "enforce https" box for www.sympy.org.

[certik]

I know how to fix that error in https://sympy.org. I thought I already did. So let me investigate.

[certik]

Ok, so to fix that error, one must make sure to include the 4 IP addresses here: https://help.github.com/articles/troubleshooting-custom-domains/#https-errors, and I have done that some time ago for sympy.org. That fixed the problem that time. However, now the problem is there again. So not sure what is causing it.

[certik]

I removed and re-added the custom domain in github's settings.

This still fails: https://sympy.org. The setting seems to be identical to this: https://theoretical-physics.com/, which works.

[asmeurer]

Maybe the custom domain needs to be sympy.org instead of www.sympy.org?

[certik]

No, the custom domain needs to be www.sympy.org, just like the custom domain is www.theoretical-physics.com.

[certik]

Here is why github recommends to use the www subdomain: https://help.github.com/articles/about-supported-custom-domains/#www-subdomains

[asmeurer]

That page you linked says "It can take up to an hour for your GitHub Pages site to become available over HTTPS after you add and correctly configure your custom domain." So let's wait a bit and see if it works.

[certik]

Ok, I think that is probably it. I can't find any other difference between the configurations.

[asmeurer]

I just tried setting it up with my website asmeurer.com and it's the same thing. https://asmeurer.com fails with invalid cert (the same one as https://sympy.org). http://asmeurer.com works just fine. Previously I just had a basic URL redirect from asmeurer.com to www.asmeurer.com.

[certik]

We might need to contact github support. I don't know what is going on. It's supposed to work, and it does for https://theoretical-physics.com/.

[isuruf]

https://www.sympy.org/en/index.html works for me

[asmeurer]

@isuruf the issue is https://sympy.org (without the www).

[asmeurer]

Let's wait 24 hours, just in case it is some caching issue, and then contact GitHub support. The probably won't get back to us until Monday anyway.

[isuruf]

From https://help.github.com/articles/setting-up-an-apex-domain-and-www-subdomain/

Warning: If your domain has HTTPS enforcement enabled, GitHub Pages' servers will not automatically route redirects. You must configure www subdomain and root domain redirects with your domain registrar.

[isuruf]

Maybe above might help

[asmeurer]

That is how I had it before, with my site asmeurer.com. It was just a URL record to www.asmeurer.com. But with that, www.asmeurer.com was served over https, but https://asmeurer.com just didn't load.

That page does say you can configure www.sympy.org or sympy.org, and the other will redirect to it. So maybe we should try changing the GitHub pages domain to sympy.org?

[asmeurer]

I tried changing the site for my site from www.asmeurer.com to asmeurer.com. The "enforce https" box unchecked and said

Not yet available for your site because the certificate has not finished being issued.
Please allow 24 hours for this process to complete. (asmeurer.com)
HTTPS provides a layer of encryption that prevents others from snooping on or tampering with traffic to your site.
When HTTPS is enforced, your site will only be served over HTTPS. Learn more.

(also it broke my site, so let's not do this for sympy.org!)

[asmeurer]

Hmm, after changing it back, https://asmeurer.com now works. I don't know if it just happened to get fixed, or if my moving it around triggered the cert being issued.

[asmeurer]

OK, I did the same for sympy, and now it works! https://sympy.org redirects to https://www.sympy.org/en/index.html. I guess the support site was a little ambiguous. You have to reenter the GitHub pages domain, because that is what triggers the cert to be issued. So if you want both www.sympy.org and sympy.org you have to enter them both.

I agree with @certik that we should keep it www.

So I believe this issue can now be closed. All SymPy domains now support HTTPS, and loading them over HTTP automatically redirects them to https.

If anyone finds any issues with HTTPS, or knows of any SymPy sites that aren't being served over HTTPS, let me know. The following SymPy domains should be working over HTTPS:

sympy.org
www.sympy.org
docs.sympy.org
planet.sympy.org
live.sympy.org
gamma.sympy.org
sympygamma.com
www.sympygamma.com

[certik]

@asmeurer I see. I might have done that with https://theoretical-physics.com/ and forgot about it.