Our download system is based on the OSUOSL FTP Cluster. While many clients refer directly to ftp.osuosl.org, we have a vhost ftp.drupal.org. This decision was before my time, but it is causing us problems. I would like to enable HTTPS Strict Transport, which would require ftp.drupal.org to be served over HTTPS. The OSL FTP cluster does not support SSL and likely never will.

Additionally, while session cookies are Secure Only, the GA cookies are being sent on ftp.drupal.org requests. This doesn't leak much information, but it does leak some across HTTP. There is no reason to be doing this.

Solving this is unpleasant. We will either need to use a different domain for downloads drupal.osuosl.org/drupal.ftp.osuosl.org/etc or put an SSL proxy in front of ftp.drupal.org and strip cookies out of requests to the upstream ftp servers. We could also just use our CDN for this and vacate the FTP cluster.

Opening this to track the issue.

Comments

basic’s picture

basic CreditAttribution: basic commented

For reference, FTP usage stats (for July 2014) are here: https://awstats.osuosl.org/reports/ftp.drupal.org/2014/07/awstats.ftp.dr...

We are using roughly 3TB of transfer a month for FTP which translates to roughly $240/month in bandwidth. We will need to get some estimates for storage too, I believe we're using quite a bit.

Component: File server » Servers
basic’s picture

basic CreditAttribution: basic at Drupal Association commented

ftp.drupal.org was migrated to Fastly CDN, HTTPS has not yet been deployed, but we now have the option to do so and for strict transport security to be enabled when that happens.

basic’s picture

basic CreditAttribution: basic at Drupal Association commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.