Our great sponsors
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
ssh_scan
Discontinued DEPRECATED - A prototype SSH configuration and policy scanner (Blog: https://mozilla.github.io/ssh_scan/)
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
For anyone curious, you can find the source code at https://github.com/mozilla/http-observatory
There is no options for non-standard ports, but you may perform a local scan using https://github.com/mozilla/observatory-cli
The link you posted is for performing HTTPS & CSP tests. The OP mentioned SSH testing which can be run locally with https://github.com/mozilla/ssh_scan
> Nothing, probably. In a sane country and legal system doing things like that would be illegal.
It should, but it isn't always the case. Not only that, but even if it is technically illegal, it still might be done because of a lack of people who'll take the guilty parties to court over it. So, in reality, you cannot avoid viewing that as a well founded risk.
> But on the other hand forcing HTTPS means that some users will never be able access it due to old browsers and/or hardware.
In a similar argument about what "should" happen - Google shouldn't just abandon numerous Android devices out there, nor should any other vendor. There should be mechanisms in place to ensure that these devices continue to function for the decades to come.
But since that's not the case, it's inevitable that you'll cut off a small portion of your potential userbase, same as with many sites simply not functioning because the developers made the choice to require JS. Of course, that is your choice, unless other concerns (like security) force your hand.
> More likely though is that I mess up the HTTPS certificates, either by mistake or inaction, and lock out everyone who doesn't dare click the correct sequence of "ignore warning" buttons. I've already managed to block access for normal users to several sites, several times, by running too old certbot versions, not integrating things properly and whatnot. It's a good thing I'll never use HSTS and HPKP, or I'll make permanent messes.
I run a couple of sites through a .dev domain and i do agree with what you're saying, since locking yourself out sooner or later is inevitable, but in my eyes i'd treat it like any other problem out there, much like messing up exposing the correct firewall ports - fix the problem, set up monitoring to be alerted of any problems in the future and move on.
That's why having development/test/staging environments is really useful and in case you fear rate limits, Let's Encrypt also has a staging environment that you can use before switching over to prod: https://letsencrypt.org/docs/staging-environment/
Not only that, but there are a few web servers here and there that attempt to improve the situation with ensuring SSL/TLS, like Traefik. Personally, however, i've found Caddy to be the most painless, since with it i don't need to mess around with integrating certbot with Apache/Nginx, but instead can just use it, since it works out of the box for the most part: https://caddyserver.com/
Apart from that, you can always just expose a version without HTTPS on the server's ports locally, so that you can set up a tunnel through SSH and access it from your device in emergency situations (or just use a self signed certificate for the "private" version).
We decided to have it as CLI, for sake of simplicity of integrating it into CI & CD.
After I decided we won't be trying to build a business around it, I removed SaaS dependency and open-sourced it.
You can check it here: https://github.com/hidalgopl/sailor
Related posts
- Automatic SSL Solution for SaaS/MicroSaaS Applications with Caddy, Node.js and Docker
- Cheapest ECS Fargate Service with HTTPS
- How tf does Docker Networking even work?!😵💫
- Show HN: Redesigned Caddy homepage, including an On-Demand TLS demo
- Empowering Caddy: User Friendliness with Case-Insensitive Caddyfiles