HTTPS-ing GNUcode.me

by Joshua Branson — September 03, 2020

So, when I recently re-configured this website with guix system and the associated nginx service, I set up the site to work just fine with HTTP and HTTPS. The difference is that HTTPS has a little green "this site is secure" logo in the upper left hand side of your browser.

The tiny baby little problem was that users could happily use the insecure version of the site, which could promote a man in the middle attack. Luckily I've been reading up on the HTTP header Strict-Transport-Security, which allows me to inform users that my site supports HTTPS. You can still browse the site using HTTP, but most likely your browser will re-direct you to the HTTPS version.

You can verify this yourself with the following:

wget http://gnucode.me

And of course I have to show the configuration for my linode guix server looks something like this:

(service nginx-service-type
         (nginx-configuration
          (server-blocks
           (list
            (nginx-server-configuration
             (server-name '("gnucode.me"))
             (listen '("80" "443 ssl"))
             (root "/srv/www/html/gnucode.me/site/")
             ;; tell browsers my site supports HTTPS, and tell them that it will
             ;; at least work for 1/2 hour.  Gradually,  I will increase this number.
             (raw-content (list "add_header Strict-Transport-Security max-age=1800;"))
             (ssl-certificate "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
             (ssl-certificate-key "/etc/letsencrypt/live/gnucode.me/privkey.pem")
             (locations
              (list
               (nginx-location-configuration          ;certbot
                (uri "/.well-known")
                (body (list "root /srv/www;"))))))))))

Guix System makes this kind of thing really easy! You should try it!

Happy Hacking! insert cute emoji here