Skip to content

Dev: Use different domains for development, since readthedocs.io is HSTS and redirects to HTTPS #9310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ericholscher opened this issue Jun 8, 2022 · 6 comments
Closed

Dev: Use different domains for development, since readthedocs.io is HSTS and redirects to HTTPS #9310

ericholscher opened this issue Jun 8, 2022 · 6 comments
Assignees
@stsewd
Labels
Accepted Accepted issue on our roadmap

Comments

@ericholscher
Copy link
Member

ericholscher commented Jun 8, 2022
edited
Loading

We currently are using similar domains as in production for local development. docs.dev.readthedocs.io:8000 for example, but because we've added readthedocs.io to HSTS lists, browsers generally won't let you load the domain with a non-SSL request. This causes weird development issues.

We are currently using a few different domains in dev:

  • dev.readthedocs.org
  • dev.readthedocs.io
  • dev.readthedocs.build

This is to match our production setup, but we'll need to discuss a bit more what we want to use. A couple options we have are:

  • readthedocs.net
  • verbthenouns.com & verbthenouns.org
  • rtfd.org & rtfd.io

We could also register a specific set of domains for this if we wanted to try and keep matching the TLD's, but not have the HSTS issues. (eg devthedocs.org/io/build).

Implementation

This change would require an update in a few places:

  • Docker dev configuration nginx & settings
  • Documentation for dev setup
  • DNS to point to 127.0.0.1 on dev.$domain
@ericholscher ericholscher added the Accepted Accepted issue on our roadmap label Jun 8, 2022
@ericholscher ericholscher moved this to Planned in 📍Roadmap Jun 8, 2022
@davidfischer
Copy link
Contributor

Just a couple notes:

  • readthedocs.io has the HSTS header set (strict-transport-security: max-age=31536000; includeSubDomains; preload). Despite the preload directive, it is not preloaded (https://hstspreload.org/).
  • When selecting a "dev domain", make sure the domain isn't preloaded. Some TLDs like .dev and .app require HTTPS for the whole domain. They're preloaded.
  • .readthedocs.io is a public suffix (https://publicsuffix.org/). This means some browsers apply isolation since they understand that subdomain1.domain.tld is probably run by a different entity than subdomain2.domain.tld.

I think dev.readthedocs.net and dev.readthedocs.build are great choices. I would advise against using rtfd.org or rtfd.io as these are used for production redirects.

@humitos humitos mentioned this issue Jun 10, 2022
Merged
6 tasks
@humitos
Copy link
Member

humitos commented Jun 13, 2022

I think dev.readthedocs.net and dev.readthedocs.build are great choices. I would advise against using rtfd.org or rtfd.io as these are used for production redirects.

dev.readthedocs.net looks good to me. However, readthedocs.build is used in production for the external versions, so I think we shouldn't use that one.

@ericholscher ericholscher self-assigned this Jun 21, 2022
@ericholscher
Copy link
Member Author

ericholscher commented Jul 19, 2022
edited
Loading

I've gone ahead and registered:

  • devthedocs.com
  • devthedocs.org

I think we should be able to make these work, and just keep all the dev work on the same domain. I'd propose matching production as much as possible. I've also setup the DNS to point all requests to 127.0.0.1. I've put together a basic PR that swaps things over.

I'm going to unassign myself from this card since it's not blocked on me anymore, and remove it from a sprint since it's a "nice to have" medium-term feature if anyone wants to jump on finishing it.

@ericholscher ericholscher removed their assignment Jul 19, 2022
ericholscher added a commit that referenced this issue Jul 19, 2022
@ericholscher
Update dev domain to devthedocs.org
e639989 
Refs #9310
@ericholscher ericholscher mentioned this issue Jul 19, 2022
Merged
ericholscher added a commit that referenced this issue Jul 21, 2022
@ericholscher
Update dev domain to devthedocs.org (#9442)
142e6b6 
* Update dev domain to `devthedocs.org`

Refs #9310

* Use short prod domain

* Fix domains

* Remove the www
@humitos
Copy link
Member

humitos commented Jul 28, 2022

I understand this is already done. @ericholscher Is any actionable missing here?

@stsewd
Copy link
Member

stsewd commented Jul 28, 2022

I think we are missing changing the readthedocs-corporate repo.

@agjohnson
Copy link
Contributor

Bumping this up to our next sprint so we don't have configuration disparity between community/commercial.

@stsewd stsewd closed this as completed Aug 3, 2022
Repository owner moved this from Planned to Done in 📍Roadmap Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stsewd stsewd

Labels
Accepted Accepted issue on our roadmap
Projects
📍Roadmap
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ericholscher @davidfischer @humitos @agjohnson @stsewd