HTTPS support on inside.gratipay.com

[EdOverflow]

First off, I am fully aware that there was a previous issue (#112) concerning HTTPS support on inside.gratipay.com, but I have decided to start from scratch and incorporate further information.

Why support HTTPS?

There are several points which Scott Helme (@ScottHelme) explains here: https://scotthelme.co.uk/still-think-you-dont-need-https/

• HTTPS makes things faster
• HTTPS boosts SEO Ranking
• HTTPS prevents 3rd party content injection
• HTTPS prevents malicious content injection

On top of that, when accessing https://inside.gratipay.com you get the following warning:

How can this be fixed?

A good explanation can be found here: https://support.dnsimple.com/articles/heroku-error-ssl/

This error occurs because you are pointing the DNS to the generic herokuapp.com Heroku endpoint. Instead you need to use the SSL host name provided you by Heroku. The hostname generally ends with:

• herokudns.com if you are using the Heroku SSL feature
• herokussl.com if you are using the legacy Heroku SSL Endpoint feature

[chadwhitacre]

Thanks for the suggestion, @EdOverflow! SSL costs $20/mo at Heroku, which is a lot for us right now. Would one of the free options suffice? CloudFlare? Let's Encrypt?

[EdOverflow]

Hi @whit537,

Cloudflare and Let's Encrypt are very good options. Here are the docs concerning SSL certificates on Heroku: https://devcenter.heroku.com/articles/ssl

Here is a Medium article about setting up Let's Encrypt with Heroku: https://medium.com/@franxyzxyz/setting-up-free-https-with-heroku-ssl-and-lets-encrypt-80cf6eac108e#.5ir9ykide

[EdOverflow]

Would moving inside.gratipay.com to GitHub pages be an option?

[EdOverflow]

Forget the GitHub pages question, I just saw issue #928.

[nobodxbodon]

@EdOverflow may I ask why not move to Github pages because of #928?

[EdOverflow]

Sorry, I did not formulate my response properly. I meant since this is already a discussion over at #928, there is no need for the same one here. As far as I can tell, GitHub pages is still an option over at #928.

[chadwhitacre]

Would moving inside.gratipay.com to GitHub pages be an option?

Theoretically. We do have some server-side logic, though. www/appendices/disclosures.spt comes to mind as probably the most significant right now.

[techtonik]

For static content https://www.netlify.com/ is free for open source and has a custom build step option, although we can probably build/deploy with Travis or another CI. I am +1 for self-hosted solution though.

[EdOverflow]

Update on this issue: I believe we are currently leaning towards implementing CloudFlare: #957.

[chadwhitacre]

We went with Let's Encrypt for gratipay.com in gratipay/gratipay.com#4327.

[EdOverflow]

https://blog.heroku.com/announcing-automated-certificate-management

[chadwhitacre]

Heeeeccckkkk yaaaaaahhhhh.

[chadwhitacre]

+2 from @rerb @rohitpaulk in #1025.

[techtonik]

From #1025 (comment):

I see the `Internal server error, program!' screen now. Reopening.

[EdOverflow]

@techtonik Concerning #1025, this is actually the case on all browsers.

$ curl https://inside.gratipay.com/
curl: (51) SSL: no alternative certificate subject name matches target host name 'inside.gratipay.com'

[techtonik]

I am still thinking about making inside.gratipay.com a static site copy that gets deployed on Netlify. It won't take more than a few hours to setup automation. At least we will get page design previews in PRs for free. :)

[chadwhitacre]

The disclosures page is dynamic, for starters. I don't see a lot of value in converting to Netlify apart from fad compliance. 😃

[techtonik]

Not much of a fad, but a way to get previews. )