[SAC] osgeo.org problems

Richard Duivenvoorde richard at duif.net
Sat Aug 15 04:31:48 PDT 2015 

On 15-08-15 12:14, Markus Neteler wrote:
> Hi,
> 
> right now I tried to connect to www.osgeo.org with Firefox 39.0.3 on Fedora 21:
> 
> - http://www.osgeo.org  --> "Waiting.." forever
> 
> - https://www.osgeo.org  -->
> 
> The page isn't redirecting properly
> Firefox has detected that the server is redirecting the request for
> this address in a way that will never complete.
> --> while it is then on https://www.osgeo.org/home
> 
> Perhaps an indication of the true problem?

I think I found the crux (have had that with qgis.org too, but used
another workaround).

Issuing the url's using curl ( -L to see the headers -v to see verbose),
and googling for Firefox issues, I found [0] an answer:

"Are there any parts of your site where you use HTTPS? Sometimes an
administrative page will send Firefox a header indicating that it must
always use HTTPS ("Strict Transport Security"), and that is remembered
for the entire domain, even for pages that should not use HTTPS."

Looking into some https url's it seems that mailman on osgeo.org has
this Strict-Transport-Security header (more about it: [1] and [2]

$ curl -vL https://lists.osgeo.org/mailman/listinfo/qgis-developer
*   Trying 140.211.15.134...
...
< Cache-control: no-cache
< Strict-Transport-Security: max-age=15768000
< Vary: Accept-Encoding
...
(probably there are more places)

So apparently you and I have visited https parts of osgeo.org and hit
the Strict-Transport-Security header, which is remembered.
To confirm this theory I try to open https://www.osgeo.org in a 'private
window' of firefox (no history, cookies etc), and that just works!

But I'm afraid there is not a proper solution...
- we can either remove the HTTP_Strict_Transport_Security header from
our servers (but hey, that is there for a reason)
- we can serve osgeo.org ALL over https

Other ideas?

Regards,

Richard Duivenvoorde

[0] https://support.mozilla.org/en-US/questions/1027355
[1] https://support.mozilla.org/en-US/questions/978166
[2] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

More information about the Sac mailing list