Redirect all Mailman sites from HTTP to HTTPS

For the past six months, all our mailing list sites have supported
HTTPS without incident. The main downside to the current
implementation is that Mailman itself writes some URLs with an
explicit scheme, causing people submitting forms from pages served
over HTTPS to get warnings because the forms are posting to plain
HTTP URLs for the same site. In order to correct this, we need to
tell Mailman to put https:// instead of http:// into these, but
doing so essentially eliminates any reason for us to continue
serving content over plain HTTP anyway.

Configure the default URL scheme of all our Mailman sites to use
HTTPS now, and set up permanent redirects from HTTP to HTTPS, per
the examples in the project's documentation:

https://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20using%20Secure%20HTTP-SSL%20%28HTTPS%29

Also update our testinfra functions to validate the blanket
redirects and perform all other testing over HTTPS.

Once this merges, the fix_url script will need to be run manually
against all lists for the current sites, as noted in that document.

Change-Id: I366bc915685fb47ef723f29d16211a2550e02e34
changes/19/848319/3
Jeremy Stanley 7 months ago
parent 195ff48d4a
commit 49643313d7

@ -9,61 +9,7 @@
CustomLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-access.log combined
DocumentRoot /var/www
RewriteEngine on
# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
RewriteCond %{HTTP_HOST} ^lists\.openstack\.org$ [nocase]
RewriteRule /(cgi-bin/mailman/listinfo|pipermail)/(community|foundation|foundation-board|foundation-board-confidential|goldmembers|marketing|staff|summitsponsors)(/.*|$) %{REQUEST_SCHEME}://lists.openinfra.dev/$1/$2$3 [last,redirect=permanent]
RewriteCond %{HTTP_HOST} ^lists\.openstack\.org$ [nocase]
RewriteRule /(cgi-bin/mailman/listinfo|pipermail)/(edge-computing)(/.*|$) %{REQUEST_SCHEME}://lists.opendev.org/$1/$2$3 [last,redirect=permanent]
# We can find mailman here:
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
# And the public archives:
Alias /pipermail/ /srv/mailman/{{ mailman_site.name }}/archives/public/
# Logos:
Alias /images/mailman/ /usr/share/images/mailman/
# Use this if you don't want the "cgi-bin" component in your URL:
# In case you want to access mailman through a shorter URL you should enable
# this:
#ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
# In this case you need to set the DEFAULT_URL_PATTERN in
# /etc/mailman/mm_cfg.py to http://%s/mailman/ for the cookie
# authentication code to work. Note that you need to change the base
# URL for all the already-created lists as well.
<Directory /usr/lib/cgi-bin/mailman/>
AllowOverride None
Options ExecCGI
AddHandler cgi-script .cgi
SetEnv HOST {{ mailman_site.listdomain }}
Order allow,deny
Allow from all
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
<Directory /srv/mailman/{{ mailman_site.name }}/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
<Directory /usr/share/images/mailman/>
AllowOverride None
Order allow,deny
Allow from all
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
RedirectPermanent / https://{{ mailman_site.listdomain }}/
</VirtualHost>
<VirtualHost *:443>

@ -57,7 +57,7 @@ MAILMAN_SITE_LIST = 'mailman'
#-------------------------------------------------------------
# If you change these, you have to configure your http server
# accordingly (Alias and ScriptAlias directives in most httpds)
DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'
PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private'
IMAGE_LOGOS = '/images/mailman/'

@ -9,56 +9,7 @@
CustomLog ${APACHE_LOG_DIR}/{{ mailman_listdomain }}-access.log combined
DocumentRoot /var/www
RewriteEngine on
# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
# We can find mailman here:
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
# And the public archives:
Alias /pipermail/ /var/lib/mailman/archives/public/
# Logos:
Alias /images/mailman/ /usr/share/images/mailman/
# Use this if you don't want the "cgi-bin" component in your URL:
# In case you want to access mailman through a shorter URL you should enable
# this:
#ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
# In this case you need to set the DEFAULT_URL_PATTERN in
# /etc/mailman/mm_cfg.py to http://%s/mailman/ for the cookie
# authentication code to work. Note that you need to change the base
# URL for all the already-created lists as well.
<Directory /usr/lib/cgi-bin/mailman/>
AllowOverride None
Options ExecCGI
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
<Directory /usr/share/images/mailman/>
AllowOverride None
Order allow,deny
Allow from all
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
RedirectPermanent / https://{{ mailman_listdomain }}/
</VirtualHost>
<VirtualHost *:443>

@ -57,7 +57,7 @@ MAILMAN_SITE_LIST = 'mailman'
#-------------------------------------------------------------
# If you change these, you have to configure your http server
# accordingly (Alias and ScriptAlias directives in most httpds)
DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'
PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private'
IMAGE_LOGOS = '/images/mailman/'

@ -17,11 +17,15 @@ def test_mm_list_is_present(host):
assert 'kata-dev' in cmd.stdout
def test_mm_list_site(host):
cmd = host.run('curl '
'--resolve lists.katacontainers.io:80:127.0.0.1 '
'http://lists.katacontainers.io/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.katacontainers.io Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.katacontainers.io:443:127.0.0.1 '
'https://lists.katacontainers.io/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.katacontainers.io Mailing Lists</TITLE>' in cmd.stdout
def test_mm_list_site_redirect_http(host):
cmd = host.run('curl '
'--resolve lists.katacontainers.io:80:127.0.0.1 '
'http://lists.katacontainers.io/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'https://lists.katacontainers.io/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout

@ -32,82 +32,83 @@ def test_mm_list_is_present(host):
assert 'zuul-discuss' in cmd.stdout
def test_mm_list_site(host):
cmd = host.run('curl '
'--resolve lists.airshipit.org:80:127.0.0.1 '
'http://lists.airshipit.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.airshipit.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.airshipit.org:443:127.0.0.1 '
'https://lists.airshipit.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.airshipit.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl '
'--resolve lists.opendev.org:80:127.0.0.1 '
'http://lists.opendev.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.opendev.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.opendev.org:443:127.0.0.1 '
'https://lists.opendev.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.opendev.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl '
'--resolve lists.openinfra.dev:80:127.0.0.1 '
'http://lists.openinfra.dev/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.openinfra.dev Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.openinfra.dev:443:127.0.0.1 '
'https://lists.openinfra.dev/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.openinfra.dev Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl '
'--resolve lists.openstack.org:80:127.0.0.1 '
'http://lists.openstack.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.openstack.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.openstack.org:443:127.0.0.1 '
'https://lists.openstack.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.openstack.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl '
'--resolve lists.starlingx.io:80:127.0.0.1 '
'http://lists.starlingx.io/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.starlingx.io Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.starlingx.io:443:127.0.0.1 '
'https://lists.starlingx.io/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.starlingx.io Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl '
'--resolve lists.zuul-ci.org:80:127.0.0.1 '
'http://lists.zuul-ci.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.zuul-ci.org Mailing Lists</TITLE>' in cmd.stdout
cmd = host.run('curl --insecure '
'--resolve lists.zuul-ci.org:443:127.0.0.1 '
'https://lists.zuul-ci.org/cgi-bin/mailman/listinfo')
assert '<TITLE>lists.zuul-ci.org Mailing Lists</TITLE>' in cmd.stdout
def test_mm_list_site_redirect_listinfo_http(host):
def test_mm_list_site_redirect_http(host):
cmd = host.run('curl '
'--resolve lists.openstack.org:80:127.0.0.1 '
'http://lists.openstack.org/cgi-bin/mailman/listinfo/staff')
'--resolve lists.airshipit.org:80:127.0.0.1 '
'http://lists.airshipit.org/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'http://lists.openinfra.dev/cgi-bin/mailman/listinfo/staff'
'https://lists.airshipit.org/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout
cmd = host.run('curl --location '
'--resolve lists.openinfra.dev:80:127.0.0.1 '
'--resolve lists.openstack.org:80:127.0.0.1 '
'http://lists.openstack.org/cgi-bin/mailman/listinfo/staff')
assert '<TITLE>Staff Info Page</TITLE>' in cmd.stdout
def test_mm_list_site_redirect_archives_http(host):
cmd = host.run('curl '
'--resolve lists.openstack.org:80:127.0.0.1 '
'http://lists.openstack.org/pipermail/staff/')
'--resolve lists.opendev.org:80:127.0.0.1 '
'http://lists.opendev.org/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'http://lists.openinfra.dev/pipermail/staff/'
'https://lists.opendev.org/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout
cmd = host.run('curl --location '
cmd = host.run('curl '
'--resolve lists.openinfra.dev:80:127.0.0.1 '
'http://lists.openinfra.dev/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'https://lists.openinfra.dev/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout
cmd = host.run('curl '
'--resolve lists.openstack.org:80:127.0.0.1 '
'http://lists.openstack.org/pipermail/staff/')
assert '<h1>The Staff Archives </h1>' in cmd.stdout
'http://lists.openstack.org/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'https://lists.openstack.org/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout
cmd = host.run('curl '
'--resolve lists.starlingx.io:80:127.0.0.1 '
'http://lists.starlingx.io/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'https://lists.starlingx.io/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout
cmd = host.run('curl '
'--resolve lists.zuul-ci.org:80:127.0.0.1 '
'http://lists.zuul-ci.org/cgi-bin/mailman/listinfo')
assert ('The document has moved <a href="'
'https://lists.zuul-ci.org/cgi-bin/mailman/listinfo'
'">here</a>') in cmd.stdout
def test_mm_list_site_redirect_listinfo(host):
cmd = host.run('curl --insecure '
'--resolve lists.openstack.org:443:127.0.0.1 '
'https://lists.openstack.org/cgi-bin/mailman/listinfo/staff')
assert ('The document has moved <a href="'
'https://lists.openinfra.dev/cgi-bin/mailman/listinfo/staff'
'">here</a>') in cmd.stdout
cmd = host.run('curl --insecure --location '
'--resolve lists.openinfra.dev:443:127.0.0.1 '
'--resolve lists.openstack.org:443:127.0.0.1 '
'https://lists.openstack.org/cgi-bin/mailman/listinfo/staff')
assert '<TITLE>Staff Info Page</TITLE>' in cmd.stdout
def test_mm_list_site_redirect_archives_https(host):
def test_mm_list_site_redirect_archives(host):
cmd = host.run('curl --insecure '
'--resolve lists.openstack.org:443:127.0.0.1 '
'https://lists.openstack.org/pipermail/staff/')

Loading…
Cancel
Save