[sf-lug] non-canonicals http[s]://[www.]{sf-lug.com, sflug.{org, com, net}}/ HTTP 301 redirect to canonical Re: SFLUG.org
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Tue May 14 21:20:53 PDT 2019
Cert(s) obtained & installed, web server reconfigured ...
SF-LUG non-canonicals
http[s]://{[www.]{sf-lug.com,sflug.{org,com,net}},sf-lug.org}/
HTTP 301 redirect to canonical,
paths are preserved as is REQUEST_SCHEME.
$ (for d in sf-lug.com sflug.org sflug.com sflug.net; do for s in ''
s; do for w in '' 'www.'; do u=http"$s://$w$d"/; echo "$u" $(curl -s
-I "$u" | sed -ne 's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
[0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
http://sf-lug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://sflug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://sflug.net/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://sflug.org/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://www.sf-lug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://www.sflug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://www.sflug.net/ HTTP/1.1 301 Location: http://www.sf-lug.org/
http://www.sflug.org/ HTTP/1.1 301 Location: http://www.sf-lug.org/
https://sf-lug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://sflug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://sflug.net/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://sflug.org/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://www.sf-lug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://www.sflug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://www.sflug.net/ HTTP/1.1 301 Location: https://www.sf-lug.org/
https://www.sflug.org/ HTTP/1.1 301 Location: https://www.sf-lug.org/
$ (for d in sf-lug.com sflug.org sflug.com sflug.net; do for s in ''
s; do for w in '' 'www.'; do u=http"$s://$w$d"/X; echo "$u" $(curl -s
-I "$u" | sed -ne 's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
[0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
http://sf-lug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://sflug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://sflug.net/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://sflug.org/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://www.sf-lug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://www.sflug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://www.sflug.net/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
http://www.sflug.org/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
https://sf-lug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://sflug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://sflug.net/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://sflug.org/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://www.sf-lug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://www.sflug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://www.sflug.net/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
https://www.sflug.org/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
$ (for d in sf-lug.org; do for s in '' s; do for w in ''; do
u=http"$s://$w$d"/; echo "$u" $(curl -s -I "$u" | sed -ne
's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
[0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
http://sf-lug.org/ HTTP/1.1 301 Location: http://www.sf-lug.org/
https://sf-lug.org/ HTTP/1.1 301 Location: https://www.sf-lug.org/
$ (for d in sf-lug.org; do for s in '' s; do for w in ''; do
u=http"$s://$w$d"/X; echo "$u" $(curl -s -I "$u" | sed -ne
's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
[0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
http://sf-lug.org/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
https://sf-lug.org/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
$
https://www.wiki.balug.org/wiki/doku.php?id=sf-lug:resources_etc
Hmmm, I should get around to writing some regression tests and add to
monitoring, so I can quickly detect if any of these "break" due to any other
configuration changes or other changes. My Apache configuration
has gotten a wee bit complex (many domains and virtual (ServerName)
hosts and multiple certs and wiki and Mailman and
(soonish) WordPress ...
# find /etc/apache2 \( -name RCS -o -name '.old*' \) -type d -prune -o
-type f -print | wc -l
295
# find /etc/apache2 \( -name RCS -o -name '.old*' \) -type d -prune -o
-type d -print | sort
/etc/apache2
/etc/apache2/conf-available
/etc/apache2/conf-enabled
/etc/apache2/conf.d
/etc/apache2/mods-available
/etc/apache2/mods-enabled
/etc/apache2/sites-available
/etc/apache2/sites-available/Include
/etc/apache2/sites-available/rewrites
/etc/apache2/sites-enabled
#
> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: Re: SFLUG.org
> Date: Wed, 10 Apr 2019 23:10:58 -0700
> I've still not yet heard a consensus or approximation thereof ... yet,
> that [www.]sflug.org should be the canonical (or not ... or when).
> In any case, now with some config changes in place on
> web server, and awaiting delegation of DNS ... once delegated,
> http[s]://[www.]sflug.org/
> will at least have somewhere to go:
>
> $ curl -s -I --resolve sflug.org:80:198.144.194.238
> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
> HTTP/1.1 301 Moved Permanently
> Location: http://www.sf-lug.org/
> $ curl -s -I --resolve sflug.org:80:2001:470:1f05:19e::3
> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
> HTTP/1.1 301 Moved Permanently
> Location: http://www.sf-lug.org/
> $ curl -k -s -I --resolve sflug.org:443:198.144.194.238
> https://sflug.org/ | egrep -i '^(HTTP/|Location: )'
> HTTP/1.1 301 Moved Permanently
> Location: https://www.sf-lug.org/
> $ curl -k -s -I --resolve sflug.org:443:2001:470:1f05:19e::3
> https://sflug.org/ | egrep -i '^(HTTP/|Location: )'
> HTTP/1.1 301 Moved Permanently
> Location: https://www.sf-lug.org/
> $ dig @ns1.sf-lug.org. +norecurse +short sflug.org. NS
> ns1.svlug.org.
> ns.primate.net.
> ns1.linuxmafia.com.
> ns1.sf-lug.org.
> $ dig @ns1.sf-lug.org. +norecurse +noall +answer +nottl sflug.org. A
> sflug.org. AAAA www.sflug.org. A www.sflug.org. AAAA
> sflug.org. IN A 198.144.194.238
> sflug.org. IN AAAA 2001:470:1f05:19e::3
> www.sflug.org. IN A 198.144.194.238
> www.sflug.org. IN AAAA 2001:470:1f05:19e::3
> $ dig +norecurse +noall +comments +answer +nottl sflug.org. A
> sflug.org. AAAA www.sflug.org. A www.sflug.org. AAAA | sed -ne
> '/^;.*NX/p;/^;.*FAIL/p;/^;.*ANSWER:/p;/^;/d;/^$/d;p' | sort -u
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
> $
>
> There are also some other domains in DNS, e.g.:
> [www.][ipv[46].]sflug.org
> AXFR is open to all for sflug.org. from ns1.sf-lug.org.
>
> Still don't have proper certs there ... that would be after someone
> provides key(s) (securely) and cert(s), etc. ... or after DNS is delegated.
>
>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>> Subject: SFLUG.org Re: [sf-lug] Domain administration (broken WHOIS)
>> Date: Sun, 07 Apr 2019 21:02:19 -0700
>
>>> From: Al <awsflug at sunnyside.com>
>>> Subject: Re: [sf-lug] Domain administration (broken WHOIS)
>>> Date: Sat, 6 Apr 2019 15:43:43 -0700
>>
>>> sflug.org - Rick mentioned that it was available so I grabbed it.
>>> I've learned not to wait on those things - it often doesn't end
>>> well.
>>> Now I'll just sit back and listen to the conversation and wait and
>>> see if anyone actually wants to use it. I don't need to own it.
>>> I can
>>> also "point" it somewhere. Doesn't seem yet that there's a definite
>>
>> SFLUG.org ... "Of course" ...
>> $ dig +noall +answer +nottl sf-lug.org. A www.sf-lug.org. A
>> sf-lug.org. AAAA www.sf-lug.org. AAAA sf-lug.com. A www.sf-lug.com.
>> A sf-lug.com. AAAA www.sf-lug.com. AAAA | sort -k 3b -k 1,1
>> sf-lug.com. IN A 198.144.194.238
>> sf-lug.org. IN A 198.144.194.238
>> www.sf-lug.com. IN A 198.144.194.238
>> www.sf-lug.org. IN A 198.144.194.238
>> sf-lug.com. IN AAAA 2001:470:1f05:19e::3
>> sf-lug.org. IN AAAA 2001:470:1f05:19e::3
>> www.sf-lug.com. IN AAAA 2001:470:1f05:19e::3
>> www.sf-lug.org. IN AAAA 2001:470:1f05:19e::3
>> $
>>
>> It's not merely as simple as "just point DNS at ..."
>> $ curl -s -I --resolve sflug.org:80:198.144.194.238
>> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>> HTTP/1.1 302 Found
>> Location: http://www.balug.org/
>> $ curl -6 -s -I --resolve sflug.org:80:2001:470:1f05:19e::3
>> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>> HTTP/1.1 302 Found
>> Location: http://www.balug.org/
>> $
>>
>> $ dig +noall +answer +nottl balug.org. A www.balug.org. A
>> balug.org. IN A 198.144.194.238
>> www.balug.org. IN A 198.144.194.238
>> $
>> Note that many domains go to that same IPv4 IP - even multiple go to the
>> same IPv6 IP.
>>
>> "Of course" sometimes folks forget that with email too. 8-O
>>
>> Not to mention certs.
>> $ curl -I --resolve sflug.org:443:198.144.194.238 https://sflug.org/
>> curl: (51) SSL: no alternative certificate subject name matches
>> target host name 'sflug.org'
>> $ curl -I --resolve sflug.org:443:2001:470:1f05:19e::3 https://sflug.org/
>> curl: (51) SSL: no alternative certificate subject name matches
>> target host name 'sflug.org'
>> $
>>
>> $ nmap -Pn -r -sT -p 443 --script=ssl-cert www.sf-lug.org | egrep
>> '^\| (Subject Alternative Name|Not valid after):'
>> | Subject Alternative Name: DNS:*.ipv4.sf-lug.org,
>> DNS:*.ipv6.sf-lug.org, DNS:*.sf-lug.com, DNS:*.sf-lug.org,
>> DNS:sf-lug.com, DNS:sf-lug.org
>> | Not valid after: 2019-05-22T10:05:40
>> $
>>
>> I generally do letsencrypt.org issued certs. For wildcard certs on
>> that, effectively need control of DNS (need to put specific records in
>> at challenge time).
>>
>> "Of course" y'all could always set up your own site with redirection and
>> certs 'n all. ;-)
>>
>> Jim Stockford - and a handful of others (myself, Grant Bowman,
>> Kim Davalos, Todd Hawley) have access to edit the www.sf-lug.org site.
>> So, "of course", there are, at least potentially, question(s) of who's
>> got access/control of domain(s), avoiding single points of failure (at
>> least as feasible), who's got access to edit site, how is it backed
>> up, etc. Some folks (myself, Jim Stockford, Grant Bowman) also all have
>> access to edit the sf-lug.org (& sf-lug.com) master DNS data (and
>> Jim and myself have access to update registrant
>> DNS (authority/delegation, glue, DNSSEC, ...) with the registrar).
>>
>> Anyway, ... maybe I'll wait a bit 'till the dust settles. :-)
More information about the sf-lug
mailing list