DNS record pychess.org is missing

[Axeltherabbit]

trafficstars

http://pychess.org/ points to a 404 without TLS certificate, You just need a CNAME that points to http://www.pychess.org/

[hartwork]

It should also redirect to the https version

[gbtami]

Ping @thomasahle

[thomasahle]

I updated the forwarding to this. Hopefully it helps.

[hartwork]

@thomasahle ~the Heroku side above looks good, but~ the 404 is from Google and pychess.org NS records point to Google:

# dig +short -t NS pychess.org
ns-cloud-a1.googledomains.com.
ns-cloud-a2.googledomains.com.
ns-cloud-a4.googledomains.com.
ns-cloud-a3.googledomains.com.

Probably some change will also be needed on Google side. Do you have access?

[hartwork]

PS: Current observed behavior over here:

• http://pychess.org/ redirects to https://www.pychess.org/, good
• https://pychess.org/ gets me "Secure Connection Failed", not good
• http://www.pychess.org/ serves HTML, no redirect to SSL, not good
• https://www.pychess.org/ serves HTML, good
• http://pychess-variants.herokuapp.com/ serves HTML, no redirect to SSL, not good
• https://pychess-variants.herokuapp.com/ redirects to https://www.pychess.org/, good

[thomasahle]

I just tried https://PyChess.org and it worked

On Mon, Apr 3, 2023, 17:14 Sebastian Pipping @.***> wrote:

PS: Current observed behavior over here:

• http://pychess.org/ redirects to https://www.pychess.org/, good
• https://pychess.org/ gets me "Secure Connection Failed", not good
• http://www.pychess.org/ serves HTML, no redirect to SSL, not good
• https://www.pychess.org/ serves HTML, good
• http://pychess-variants.herokuapp.com/ serves HTML, no redirect to SSL, not good
• https://pychess-variants.herokuapp.com/ redirects to https://www.pychess.org/, good

— Reply to this email directly, view it on GitHub https://github.com/gbtami/pychess-variants/issues/1111#issuecomment-1495159340, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHHBMYPQQDJQK4XDJYBQRDW7NRW3ANCNFSM6AAAAAAWRWKQ5Y . You are receiving this because you were mentioned.Message ID: @.***>

[hartwork]

I just tried https://PyChess.org and it worked

I confirm, that now works for me two, first redirects to https://pychess-variants.herokuapp.com/ and that redirects to https://www.pychess.org/ .

[thomasahle]

Hm, does that slow things down?

[Axeltherabbit]

It might but not so important, it's just another query to the DNS

[hartwork]

It's a bit more than just DNS and it does slow things down a bit, but maybe that's not the most important. These two are still not redirecting to SSL and are mostly unusable do to most assets not loading:

• http://www.pychess.org/
• http://pychess-variants.herokuapp.com/

At least the first I consider an important problem.

[hartwork]

It's a bit more than just DNS and it does slow things down a bit, but maybe that's not the most important. These two are still not redirecting to SSL and are mostly unusable do to most assets not loading:

• http://www.pychess.org/

• http://pychess-variants.herokuapp.com/

At least the first I consider an important problem.

@gbtami I retried and the situation seems unchanged, even after force-reload. Is a deployment missing or is the issue still unfixed? Are you okay with re-opening?

PS: This is how I cover TLS including redirects, alias domains, and auto-updates of certificates and recently HSTS in my own setup: https://github.com/hartwork/docker-ssl-reverse-proxy

[gbtami]

Yea, it was not deployed yet. I tried it on DEV site https://pychess-variants-dev.onrender.com/ but somehow it doesn't work. I think it should though. See https://aiohttp-remotes.readthedocs.io/en/stable/api.html#secure and https://github.com/aio-libs/aiohttp-remotes/blob/master/aiohttp_remotes/secure.py#L45

[hartwork]

@gbtami one key question is how many reverse proxies are in front of it and what they are doing. In my setup for instances, handling the redirect that far in would be too late because the outermost reverse proxy talks plain HTTP to its backend.

[gbtami]

Pychess server is running as standalone server on Heroku atm. https://docs.aiohttp.org/en/stable/deployment.html#aiohttp-deployment

[hartwork]

@gbtami if I'm understanding that right, based on HTTP response header Via: 1.1 vegor that there is very old version 1.1 of undermainted reverse proxy "vegor" of 2016 (https://github.com/heroku/vegur/tags) in front of pychess which means that aiohttp does not do the SSL termination. I have two guesses/ideas:

• the comparison if URI != LOCALHOST: with LOCALHOST = "http://127.0.0.1:8080" in 6e7601e5aadec0da0f9e9ae9abb4adf9d6da86b8 will fail with leading slashes, non-lowercase http, different ports, IPv6. I suggest to compare the host name in isolation but nothing more to be robust (assuming this has a general chance to work, no yet sure because I know little about this stack).
• based on https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls I believe that the code would instead need to check HTTP header X-Forwarded-Proto and redirect to HTTPS manually when it's not https.

What do you think?

[hartwork]

@gbtami PS: I'd be curious which of the services/modules of Heroku you use and how much the current monthly bill is, if you're willing to share that with me on- or offline.

[gbtami]

I was thinking https://aiohttp-remotes.readthedocs.io/en/stable/api.html#secure should do the job. Telling the truth my networking knowledge is nearly zero. (This is the reason I initially choose Heroku instead of renting a private server or something similar.)

=== pychess-variants Buildpack URLs

1. heroku/nodejs
2. heroku/python
3. https://github.com/ianpurvis/heroku-buildpack-version

We are in Basic (7 USD/month)

[hartwork]

I was thinking https://aiohttp-remotes.readthedocs.io/en/stable/api.html#secure should do the job.

I don't see it do anything X-Forwarded-Proto. There are other classes in aiohttp that do but I haven't used those myself. I can try run it myself locally and see if I can find a fix, but it's new ground for me and time is limited at the moment.

We are in Basic (7 USD/month)

Interesting. So the dyno and managed MongoDB (including metrics, OS updates, monitoring)?

(NetCup VM https://www.netcup.eu/bestellen/produkt.php?produkt=2992 fits the budget and has more resources but OS updates, setup and monitoring and managed MongoDB are all manual then.)

[gbtami]

For mongodb we use Atlas M5 (Shared) cluster See https://www.mongodb.com/pricing. (usually $32,28 USD per month)

[gbtami]

It definitely would be much cheaper if we rent a VM and manage/admin it ourselves, but it is way above my knowledge :(

[hartwork]

I was thinking https://aiohttp-remotes.readthedocs.io/en/stable/api.html#secure should do the job.

I don't see it do anything X-Forwarded-Proto. There are other classes in aiohttp that do but I haven't used those myself. I can try run it myself locally and see if I can find a fix, but it's new ground for me and time is limited at the moment.

@gbtami if I go for playing with this, a Docker Compose integration would likely be a free byproduct. Would you be open for a pull request adding Docker Compose integration, potentially with running the tests through it in CI?

[gbtami]

Sure, absolutely!

[gbtami]

Seems the redirect_to_https() middleware from https://github.com/gbtami/pychess-variants/pull/1407 works OK now. If anyone find a remaining issue feel free to reopen.

[hartwork]

It's a bit more than just DNS and it does slow things down a bit, but maybe that's not the most important. These two are still not redirecting to SSL and are mostly unusable do to most assets not loading:

• http://www.pychess.org/
• http://pychess-variants.herokuapp.com/

At least the first I consider an important problem.

@gbtami I retried and the situation seems unchanged, even after force-reload. Is a deployment missing or is the issue still unfixed? Are you okay with re-opening?

@gbtami the latter seems to redirect via HTML rather than via HTTP but both seem to redirect to HTTPS now, thank you!