I’ve not read this yet, just passing it along, as it looks really interesting.

I’m not affiliated in any way with this.

ETA: If anyone has read it / bought a copy, a review would be very appreciated.

    • perishthethought@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      6 months ago

      They do, via Traefik. Chapter 8.

      Maybe they decided there was nothing that requires an SSL/TLS certificate on this particular site? (They accept payments elsewhere).

      • witten@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        The site links to a site that accepts payment data. So because the author’s site is http, a MITM attacker could change the payment links from lulu.com to site-that-actually-steals-your-credit-card.com.

        That’s one huge thing https provides over http… assurance of unadulterated content, including links to sites that actually deal in sensitive data.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        Why wouldn’t that concern you? That means it is totally plain text with zero verification of incoming data or encryption. It is really easy to tamper with http traffic.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        6 months ago

        The site is encrypted but you can also access the site over http. The author hasn’t configured any kind of HTTPS upgrade. This is an easily correctable oversight that a self proclaimed “self hosting expert” should have accounted for.

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        Why would the lack of SSL concern you?

        Because it means my traffic to that site is in the clear. And while we’re not transacting anything sensitive necessarily. It’s still best practice to limit sniffing.

        Automatically swapping to https should be default behavior for every website.

    • ilmagico@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      6 months ago

      The site does use https for me… it instantly redirects from http to https

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    edit-2
    6 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    nginx Popular HTTP server

    [Thread #812 for this sub, first seen 16th Jun 2024, 20:05] [FAQ] [Full list] [Contact] [Source code]

  • Adam Monsen@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    6 months ago

    Hi! Author here. I added a http → https redirect to my book website, thanks all. I do intend to always serve public content via https to (as other smart folks have thoughtfully mentioned) guard against stuff getting messed with between my server and your browser (however unlikely that may be). In this case I thought my server was redirecting to https, but turns out my Firefox was forcing https (again, same as other smart folks said).

    re: “expert”, ugh, I’m embarrassed to even use that word, but someone else graciously called me that (so I intended to remove “self-proclaimed”), and it supposedly helps for sales. All I know is I’m growing and learning just like you, the more I know the less I know I know, and I make mistakes all the time. I always appreciate kind corrections/feedback/comments/patches/suggestions/etc.

    That includes feedback on https://github.com/meonkeys/shb/blob/main/pelican/website/content/extra/.htaccess … I feel clever fixing two things in a single redirect (getting rid of www. and forcing https), but I’m not sure if I’m doing something silly or dangerous here. I’m definitely not an expert at Apache mod_rewrite, I just cobbled that together from official docs and stackoverflow posts.

    • perishthethought@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Hi author! I’m Dad. :)

      Thanks for joining the conversation. I thought it too much to hope you’d be on Lemmy but glad you are! Thanks for adding those bits about https, but I was saddened to see that 90% of the conversation around this centered on that one side topic.

      I’ve only read the TOC for your book so far but it seems very much what we need to see more people adopt self-hosting so thank you very much for putting in the time and effort!