You are reading a single comment by @ibob and its replies. Click here to read the full conversation.
  • I've done some more digging and come up with more questions than answers.

    Firstly on the API, most assets are served with relative links: So that raises the unpleasant prospect that the mobile app has been defaulting to HTTP and requesting assets over insecure connections. But I've been through the codebase, and wherever a scheme and domain is missing, the app is hardcoded to assume HTTPS. E.g. attachments, profile avatars.

    The app should never request anything over HTTP, and indeed, I just ran the app in dev mode, logging all image requests and there were no requests for LFGSS assets over HTTP. So I really can't explain how you're seeing a request from dart, over an insecure connections. Do you know why the logs mention an SSL cipher and protocol, despite the request being over HTTP? Incidentally, I've never seen a Host header include the scheme. That's pretty unusual.

    The problem could have been masked by HSTS - (the website serving http:// links, but chrome silently swapping them with https://), but it's not that. The website is serving attachments with absolute URLs:

    curl https://www.lfgss.com/comments/17405497/ | grep "9dbf.jpg"
    
    <img src="https://lfgss.microcosm.app/api/v1/files/a1192d75683ebe6f1104c13f03b4f71443919dbf.jpg" alt="cactus.jpg" title="cactus.jpg" />
    

    On the link shortener:

    The api seems to be serving HTTP links:

    curl -v -H "Authorization: Bearer $LFGSS_TOKEN" https://lfgss.microcosm.app/api/v1/comments/17405497 | jq ".data.html"
    
    "<p>A link: <a href=\"http://microcosm.app/out/LgqWi\" rel=\"nofollow noopener\" target=\"_blank\">https://theuselessweb.com/</a></p>\n"
    

    But the same comment via the web is magically HTTPS:

    curl https://www.lfgss.com/comments/17405497/ | grep "A link:"
    
    <p>A link: <a href="https://microcosm.app/out/LgqWi" rel="nofollow noopener" target="_blank">https://theuselessweb.com/</a></p>
    
  • now you mention it, weird choice of log filename too - if the request is http

    filename	/var/log/nginx/https.wildcard.microcosm.­app.access.log
    
About

Avatar for ibob @ibob started