Switching a list to port 443
I have an installed list running mailman-2.1.18-1 and just set up a SSL cert from Let's Encrypt to run the site to which the list is attached via https on port 443.
The list moderator emailed me noting that she was having trouble clearing moderated posts, a problem which I verified, and changes to some administrative options also fail.
It seems that, as I had it configured, Let's Encrypt's automated setup uses an Apache RewriteRule to force http requests to https requests, and at points in the Mailman admin menus, the system seems to want to fall back to http requests, and forcing them, again, to rewrite these internal URLs from http to https breaks things.
So what's the proper way to take a list that's been running via port 80 and make it run entirely via port 443?
--
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190 |
http://www.fmp.com | -- Hiram W Johnson
On Tue, 2018-03-06 at 19:36 -0600, Lindsay Haisley wrote:
I have an installed list running mailman-2.1.18-1 and just set up a SSL cert from Let's Encrypt to run the site to which the list is attached via https on port 443.
The list moderator emailed me noting that she was having trouble clearing moderated posts, a problem which I verified, and changes to some administrative options also fail.
It seems that, as I had it configured, Let's Encrypt's automated setup uses an Apache RewriteRule to force http requests to https requests, and at points in the Mailman admin menus, the system seems to want to fall back to http requests, and forcing these internal URLs, again, to be rewritten by the web server from http to https breaks things.
So what's the proper way to take a list that's been running via port 80 and make it run entirely via port 443?
I've found https://mail.python.org/pipermail/mailman-users/2003-April/027856.html which is helpful, but apparently, at least with MM 2.1.1, it was necessary to to set DEFAULT_URL_PATTERN as a global setting. On FMP's server, some lists are associated with sites that are accessed via port 80 and as yet I don't have SSL enabled for their domains, so I need to be able to make this setting on a per-list basis.
--
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190 |
http://www.fmp.com | -- Hiram W Johnson
On 3/6/18 5:50 PM, Lindsay Haisley wrote:
I've found https://mail.python.org/pipermail/mailman-users/2003-April/027856.html which is helpful, but apparently, at least with MM 2.1.1, it was necessary to to set DEFAULT_URL_PATTERN as a global setting. On FMP's server, some lists are associated with sites that are accessed via port 80 and as yet I don't have SSL enabled for their domains, so I need to be able to make this setting on a per-list basis.
There's a FAQ on this at <https://wiki.list.org/x/17892007>, but it won't answer your question.
In your case you have various choices depending on what you want for new lists going forward.
You need to set the 'final' scheme in DEFAULT_URL_PATTERN to what you want for new lists.
For existing lists you want the scheme in the web_page_url to match what you want for that list.
You can do this by setting the scheme in DEFAULT_URL_PATTERN to https and then running fix_url under withlist for only those lists and then setting the scheme in DEFAULT_URL_PATTERN to http if that's what you want.
Or you could just run the script at <https://www.msapiro.net/scripts/https.py> under withlist for those lists you want to change.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Tue, 2018-03-06 at 19:25 -0800, Mark Sapiro wrote:
Or you could just run the script at <https://www.msapiro.net/scripts/https.py> under withlist for those lists you want to change.
Mark, there appears to be a bit of an issue with this script. I've changed the DEFAULT_URL_HOST to "www.fmp.com", and have recently added add_virtualhost() call for this hostname as well, but after running this script on several lists it seems that in some circumstances the URL host is changed to a value of DEFAULT_URL_HOST which was in effect when the list was created. Using fix_url has no such problems and seems to fix everything.
I'm not entirely clear on this, and could tinker with it some more (such as hacking the script to convert back to http) but I've resorted to just editing mm_cfg.py and using fix_url which seems to do the right thing.
Example ...
$ withlist -l -r https foo_members Importing https... Running https.https()... Loading list foo_members (locked) list: Foo_members: changed web_page_url to https://linode.fmp.com/mailman/ Finalizing
linode.fmp.com _was_ the DEFAULT_URL_HOST when the list was set up (but not when 'withlist -r https ..' was run), but the list was explicitly set up with newlist using a URL with "fmp.com" or "www.fmp.com" and worked well. My wife admins the list and has had no problems. I would _certainly_ have heard about it if she'd had to do a double login, which would have been the case had "linode.fmp.com" been part of the web_page_url when she worked on it.
Sorry I can't put more arms and legs on this problem. This is a production server so the _real_ lists have to be converted quickly and cleanly. I'll set up some test lists using my sandbox domain name and see if I can pin the issue down. I didn't have add_virtualhost() method calls for "fmp.com" and "www.fmp.com" _when the list was created_, so the web_page_url may have been overwritten with the DEFAULT_URL_HOST in effect at that time.
-- Lindsay Haisley | "Real programmers use butterflies" FMP Computer Services | 512-259-1190 | - xkcd http://www.fmp.com |
On 03/07/2018 08:29 AM, Lindsay Haisley wrote:
On Tue, 2018-03-06 at 19:25 -0800, Mark Sapiro wrote:
Or you could just run the script at <https://www.msapiro.net/scripts/https.py> under withlist for those lists you want to change.
Mark, there appears to be a bit of an issue with this script. I've changed the DEFAULT_URL_HOST to "www.fmp.com", and have recently added add_virtualhost() call for this hostname as well, but after running this script on several lists it seems that in some circumstances the URL host is changed to a value of DEFAULT_URL_HOST which was in effect when the list was created. Using fix_url has no such problems and seems to fix everything.
I don't think that has anything to do with the script itself. All the script does is change any occurrence of 'http:' to 'https:' in a list's web_page_url.
The most likely explanation for what you observed is you never ran fix_url on the affected lists after you changed DEFAULT_URL_HOST to "www.fmp.com" so their web_page_url attribute still had the prior domain.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Wed, 2018-03-07 at 08:40 -0800, Mark Sapiro wrote:
The most likely explanation for what you observed is you never ran fix_url on the affected lists after you changed DEFAULT_URL_HOST to "www.fmp.com" so their web_page_url attribute still had the prior domain.
I suppose it's possible, and certainly it was a misconfig on my part to _not_ have an add_virtualhost call for "www.fmp.com". The web_page_url in effect, though, seems to have been the one set with --urlhost when newlist was invoked to create the list, and after running https.py the absence of an appropriate add_virtualhost() came to the fore and the web_page_url was rewritten using the old DEFAULT_URL_HOST, even though I'd added a proper add_virtualhost() by the time I ran https.py.
Interesting, but not serious since the issue was identified and remedied here in pretty short order :)
-- Lindsay Haisley | "Humor will get you through times of no humor FMP Computer Services | better than no humor will get you through 512-259-1190 | times of humor." http://www.fmp.com | - Butch Hancock
On 03/07/2018 09:18 AM, Lindsay Haisley wrote:
I suppose it's possible, and certainly it was a misconfig on my part to _not_ have an add_virtualhost call for "www.fmp.com". The web_page_url in effect, though, seems to have been the one set with --urlhost when newlist was invoked to create the list, and after running https.py the absence of an appropriate add_virtualhost() came to the fore and the web_page_url was rewritten using the old DEFAULT_URL_HOST, even though I'd added a proper add_virtualhost() by the time I ran https.py.
whatever did it, it wasn't the script at <https://www.msapiro.net/scripts/https.py>. The only thing that script does is change 'http:' to 'https:' in a list's web_page_url and report the new value. It doesn't touch the domain.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Wed, 2018-03-07 at 08:40 -0800, Mark Sapiro wrote:
The most likely explanation for what you observed is you never ran fix_url on the affected lists after you changed DEFAULT_URL_HOST to "www.fmp.com" so their web_page_url attribute still had the prior domain.
I suppose it's possible, and certainly it was a misconfiguration on my part to _not_ have an add_virtualhost call for "www.fmp.com". The web_page_url in effect, though, seems to have been the one set with --urlhost when newlist was invoked to create the list, and after running https.py the absence of an appropriate add_virtualhost() came to the fore and the web_page_url was rewritten using the old DEFAULT_URL_HOST, even though I'd added a proper add_virtualhost() by the time I ran https.py.
Interesting, but not serious since the issue was identified and remedied in pretty short order :)
-- Lindsay Haisley | "Humor will get you through times of no humor FMP Computer Services | better than no humor will get you through 512-259-1190 | times of humor." http://www.fmp.com | - Butch Hancock
participants (2)
-
Lindsay Haisley -
Mark Sapiro