[sf-lug] non-canonicals http[s]://[www.]{sf-lug.com, sflug.{org, com, net}}/ HTTP 301 redirect to canonical Re: SFLUG.org
jim
jim at well.com
Mon May 20 09:47:29 PDT 2019
Seems to me that www.sf-lug.org should be
the canonical name because "lugs" should use
the .org uppermost domain category and sf-lug
is most established.
That said, I don't see how it matters as
long as people can access the web page ("sflug"
or "sf-lug" and ".org" or ".com").
On 5/15/19 12:20 AM, Michael Paoli wrote:
> Cert(s) obtained & installed, web server reconfigured ...
> SF-LUG non-canonicals
> http[s]://{[www.]{sf-lug.com,sflug.{org,com,net}},sf-lug.org}/
> HTTP 301 redirect to canonical,
> paths are preserved as is REQUEST_SCHEME.
> $ (for d in sf-lug.com sflug.org sflug.com sflug.net; do for s in ''
> s; do for w in '' 'www.'; do u=http"$s://$w$d"/; echo "$u" $(curl -s
> -I "$u" | sed -ne 's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
> [0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
> http://sf-lug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://sflug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://sflug.net/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://sflug.org/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://www.sf-lug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://www.sflug.com/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://www.sflug.net/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> http://www.sflug.org/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> https://sf-lug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://sflug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://sflug.net/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://sflug.org/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://www.sf-lug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://www.sflug.com/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://www.sflug.net/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> https://www.sflug.org/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> $ (for d in sf-lug.com sflug.org sflug.com sflug.net; do for s in ''
> s; do for w in '' 'www.'; do u=http"$s://$w$d"/X; echo "$u" $(curl -s
> -I "$u" | sed -ne 's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
> [0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
> http://sf-lug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://sflug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://sflug.net/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://sflug.org/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://www.sf-lug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://www.sflug.com/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://www.sflug.net/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> http://www.sflug.org/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> https://sf-lug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://sflug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://sflug.net/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://sflug.org/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://www.sf-lug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://www.sflug.com/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://www.sflug.net/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> https://www.sflug.org/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> $ (for d in sf-lug.org; do for s in '' s; do for w in ''; do
> u=http"$s://$w$d"/; echo "$u" $(curl -s -I "$u" | sed -ne
> 's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
> [0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
> http://sf-lug.org/ HTTP/1.1 301 Location: http://www.sf-lug.org/
> https://sf-lug.org/ HTTP/1.1 301 Location: https://www.sf-lug.org/
> $ (for d in sf-lug.org; do for s in '' s; do for w in ''; do
> u=http"$s://$w$d"/X; echo "$u" $(curl -s -I "$u" | sed -ne
> 's/\r//g;s/^\([Hh][Tt][Tt][Pp][^ ]*
> [0-9][0-9]*\).*/\1/p;/^[Ll]ocation: /p'); done; done; done) | sort
> http://sf-lug.org/X HTTP/1.1 301 Location: http://www.sf-lug.org/X
> https://sf-lug.org/X HTTP/1.1 301 Location: https://www.sf-lug.org/X
> $
>
> https://www.wiki.balug.org/wiki/doku.php?id=sf-lug:resources_etc
>
> Hmmm, I should get around to writing some regression tests and add to
> monitoring, so I can quickly detect if any of these "break" due to any
> other
> configuration changes or other changes. My Apache configuration
> has gotten a wee bit complex (many domains and virtual (ServerName)
> hosts and multiple certs and wiki and Mailman and
> (soonish) WordPress ...
> # find /etc/apache2 \( -name RCS -o -name '.old*' \) -type d -prune -o
> -type f -print | wc -l
> 295
> # find /etc/apache2 \( -name RCS -o -name '.old*' \) -type d -prune -o
> -type d -print | sort
> /etc/apache2
> /etc/apache2/conf-available
> /etc/apache2/conf-enabled
> /etc/apache2/conf.d
> /etc/apache2/mods-available
> /etc/apache2/mods-enabled
> /etc/apache2/sites-available
> /etc/apache2/sites-available/Include
> /etc/apache2/sites-available/rewrites
> /etc/apache2/sites-enabled
> #
>
>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>> Subject: Re: SFLUG.org
>> Date: Wed, 10 Apr 2019 23:10:58 -0700
>
>> I've still not yet heard a consensus or approximation thereof ... yet,
>> that [www.]sflug.org should be the canonical (or not ... or when).
>> In any case, now with some config changes in place on
>> web server, and awaiting delegation of DNS ... once delegated,
>> http[s]://[www.]sflug.org/
>> will at least have somewhere to go:
>>
>> $ curl -s -I --resolve sflug.org:80:198.144.194.238 http://sflug.org/
>> | egrep -i '^(HTTP/|Location: )'
>> HTTP/1.1 301 Moved Permanently
>> Location: http://www.sf-lug.org/
>> $ curl -s -I --resolve sflug.org:80:2001:470:1f05:19e::3
>> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>> HTTP/1.1 301 Moved Permanently
>> Location: http://www.sf-lug.org/
>> $ curl -k -s -I --resolve sflug.org:443:198.144.194.238
>> https://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>> HTTP/1.1 301 Moved Permanently
>> Location: https://www.sf-lug.org/
>> $ curl -k -s -I --resolve sflug.org:443:2001:470:1f05:19e::3
>> https://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>> HTTP/1.1 301 Moved Permanently
>> Location: https://www.sf-lug.org/
>> $ dig @ns1.sf-lug.org. +norecurse +short sflug.org. NS
>> ns1.svlug.org.
>> ns.primate.net.
>> ns1.linuxmafia.com.
>> ns1.sf-lug.org.
>> $ dig @ns1.sf-lug.org. +norecurse +noall +answer +nottl sflug.org. A
>> sflug.org. AAAA www.sflug.org. A www.sflug.org. AAAA
>> sflug.org. IN A 198.144.194.238
>> sflug.org. IN AAAA 2001:470:1f05:19e::3
>> www.sflug.org. IN A 198.144.194.238
>> www.sflug.org. IN AAAA 2001:470:1f05:19e::3
>> $ dig +norecurse +noall +comments +answer +nottl sflug.org. A
>> sflug.org. AAAA www.sflug.org. A www.sflug.org. AAAA | sed -ne
>> '/^;.*NX/p;/^;.*FAIL/p;/^;.*ANSWER:/p;/^;/d;/^$/d;p' | sort -u
>> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
>> $
>>
>> There are also some other domains in DNS, e.g.:
>> [www.][ipv[46].]sflug.org
>> AXFR is open to all for sflug.org. from ns1.sf-lug.org.
>>
>> Still don't have proper certs there ... that would be after someone
>> provides key(s) (securely) and cert(s), etc. ... or after DNS is
>> delegated.
>>
>>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>>> Subject: SFLUG.org Re: [sf-lug] Domain administration (broken WHOIS)
>>> Date: Sun, 07 Apr 2019 21:02:19 -0700
>>
>>>> From: Al <awsflug at sunnyside.com>
>>>> Subject: Re: [sf-lug] Domain administration (broken WHOIS)
>>>> Date: Sat, 6 Apr 2019 15:43:43 -0700
>>>
>>>> sflug.org - Rick mentioned that it was available so I grabbed it.
>>>> I've learned not to wait on those things - it often doesn't end well.
>>>> Now I'll just sit back and listen to the conversation and wait and
>>>> see if anyone actually wants to use it. I don't need to own it. I
>>>> can
>>>> also "point" it somewhere. Doesn't seem yet that there's a definite
>>>
>>> SFLUG.org ... "Of course" ...
>>> $ dig +noall +answer +nottl sf-lug.org. A www.sf-lug.org. A
>>> sf-lug.org. AAAA www.sf-lug.org. AAAA sf-lug.com. A www.sf-lug.com.
>>> A sf-lug.com. AAAA www.sf-lug.com. AAAA | sort -k 3b -k 1,1
>>> sf-lug.com. IN A 198.144.194.238
>>> sf-lug.org. IN A 198.144.194.238
>>> www.sf-lug.com. IN A 198.144.194.238
>>> www.sf-lug.org. IN A 198.144.194.238
>>> sf-lug.com. IN AAAA 2001:470:1f05:19e::3
>>> sf-lug.org. IN AAAA 2001:470:1f05:19e::3
>>> www.sf-lug.com. IN AAAA 2001:470:1f05:19e::3
>>> www.sf-lug.org. IN AAAA 2001:470:1f05:19e::3
>>> $
>>>
>>> It's not merely as simple as "just point DNS at ..."
>>> $ curl -s -I --resolve sflug.org:80:198.144.194.238
>>> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>>> HTTP/1.1 302 Found
>>> Location: http://www.balug.org/
>>> $ curl -6 -s -I --resolve sflug.org:80:2001:470:1f05:19e::3
>>> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
>>> HTTP/1.1 302 Found
>>> Location: http://www.balug.org/
>>> $
>>>
>>> $ dig +noall +answer +nottl balug.org. A www.balug.org. A
>>> balug.org. IN A 198.144.194.238
>>> www.balug.org. IN A 198.144.194.238
>>> $
>>> Note that many domains go to that same IPv4 IP - even multiple go to
>>> the
>>> same IPv6 IP.
>>>
>>> "Of course" sometimes folks forget that with email too. 8-O
>>>
>>> Not to mention certs.
>>> $ curl -I --resolve sflug.org:443:198.144.194.238 https://sflug.org/
>>> curl: (51) SSL: no alternative certificate subject name matches
>>> target host name 'sflug.org'
>>> $ curl -I --resolve sflug.org:443:2001:470:1f05:19e::3
>>> https://sflug.org/
>>> curl: (51) SSL: no alternative certificate subject name matches
>>> target host name 'sflug.org'
>>> $
>>>
>>> $ nmap -Pn -r -sT -p 443 --script=ssl-cert www.sf-lug.org | egrep
>>> '^\| (Subject Alternative Name|Not valid after):'
>>> | Subject Alternative Name: DNS:*.ipv4.sf-lug.org,
>>> DNS:*.ipv6.sf-lug.org, DNS:*.sf-lug.com, DNS:*.sf-lug.org,
>>> DNS:sf-lug.com, DNS:sf-lug.org
>>> | Not valid after: 2019-05-22T10:05:40
>>> $
>>>
>>> I generally do letsencrypt.org issued certs. For wildcard certs on
>>> that, effectively need control of DNS (need to put specific records in
>>> at challenge time).
>>>
>>> "Of course" y'all could always set up your own site with redirection
>>> and
>>> certs 'n all. ;-)
>>>
>>> Jim Stockford - and a handful of others (myself, Grant Bowman,
>>> Kim Davalos, Todd Hawley) have access to edit the www.sf-lug.org site.
>>> So, "of course", there are, at least potentially, question(s) of who's
>>> got access/control of domain(s), avoiding single points of failure (at
>>> least as feasible), who's got access to edit site, how is it backed
>>> up, etc. Some folks (myself, Jim Stockford, Grant Bowman) also all
>>> have
>>> access to edit the sf-lug.org (& sf-lug.com) master DNS data (and
>>> Jim and myself have access to update registrant
>>> DNS (authority/delegation, glue, DNSSEC, ...) with the registrar).
>>>
>>> Anyway, ... maybe I'll wait a bit 'till the dust settles. :-)
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190520/baa4ef9e/attachment-0001.html>
More information about the sf-lug
mailing list