by Joshua Branson — September 03, 2020
So, when I recently re-configured this website with guix system and the
associated nginx service, I set up the site to work just fine with HTTP and
HTTPS. The difference is that HTTPS has a little green "this site is secure"
logo in the upper left hand side of your browser.
The tiny baby little problem was that users could happily use the insecure
version of the site, which could promote a man in the middle attack. Luckily
I've been reading up on the HTTP header Strict-Transport-Security, which
allows me to inform users that my site supports HTTPS. You can still browse
the site using HTTP, but most likely your browser will re-direct you to the
HTTPS version.
You can verify this yourself with the following:
wget http://gnucode.meAnd of course I have to show the configuration for my linode guix server looks something like this:
(service nginx-service-type
(nginx-configuration
(server-blocks
(list
(nginx-server-configuration
(server-name '("gnucode.me"))
(listen '("80" "443 ssl"))
(root "/srv/www/html/gnucode.me/site/")
;; tell browsers my site supports HTTPS, and tell them that it will
;; at least work for 1/2 hour. Gradually, I will increase this number.
(raw-content (list "add_header Strict-Transport-Security max-age=1800;"))
(ssl-certificate "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
(ssl-certificate-key "/etc/letsencrypt/live/gnucode.me/privkey.pem")
(locations
(list
(nginx-location-configuration ;certbot
(uri "/.well-known")
(body (list "root /srv/www;"))))))))))Guix System makes this kind of thing really easy! You should try it!
Happy Hacking! insert cute emoji here