1d — SSL Between backend servers and Fastly
Closed this issue · 2 comments
renoirb commented
SSL communication has to be done both between
- Fastly and visitor
- Fastly and backend (our servers)
At this moment, only the first case is fulfilled, that’s what we change for all services that are served by Fastly.
Web apps progress
- docs.webplatform.org
- Ensure www.webplatform.org suports both, but don’t force SSL
- blog.webplatform.org
- stats.webplatform.org
Estimated steps
- Update documentation in https://docs.webplatform.org/wiki/WPD:Infrastructure/architecture/SSL_certificates
- Ensure any public facing subdomains, on both webplatform.org AND webplatformstaging.org has valid certificates from an accepted CA
- Use StartSSL certificates for the obscure endpoints but yet user facing (e.g. oauth.accounts.webplatform.org MUST be from a known Certificate Authority, but most users won’t see in their browsers)
- Make sure Fastly has them installed
- Make sure Fastly connects to backends servers (our VMs) through IPADDR:443
- Make sure all web servers (e.g. NGINX & Apache) has the certificates AND that each subdomain uses the right certificate