Hi Andy,
On 2019-07-01 09:58, Andy Smith wrote:
> Hi Jess,
>
> On Mon, Jul 01, 2019 at 10:39:23AM +0100, Jess Robinson wrote:
> > I eventually realised that the main bitfolk.com itself is sending
> > hsts-required headers, and including all subdomains, which seems
> > to trigger regardless of port :( Removing bitfolk.com fixed it for
> > now, though presumably it will return if I visit the toplevel site
> > again.
>
> TL;DR: Use example.vps.bitfolk.space.
Aha! Do you need to add that for me? (didnt Just Work (tm))
> When I first started putting customers who did not have a domain of
> their own under vps.bitfolk.com, I only ever thought that this would
> be a short term arrangement for them. I didn't (and still don't)
> really understand how anyone who would use a VPS would exist without
> at least one domain name of their own.
>
> However, subsequent experience taught me that such people do exist,
> in quite a number. It is perhaps not that they don't HAVE a domain
> name, but that they do not wish to ADVERTISE any particular domain
> name.
>
> I still don't understand it, but I accept that people keep wanting
> to do this.
Heh well, in the general case of actually deploying websites etc, I'd agree.. In this particular case I'm using my vps as a development box, cos its debian based, and sometimes easier to install stuff on than my desktop (which is gentoo)
> Use of example.vps.bitfolk.com has a few different issues, such as
> (non-exhaustive list):
>
> - Makes you subject to BitFolk's HSTS policy as you pointed out
>
> - May in future make you subject to Content Security Policy:
> https://www.w3.org/TR/CSP3/
>
> (bitfolk.com and panel.bitfolk.com have one but I don't think they
> enforce it on subdomains at present)
>
> - Cross-domain leaking of cookies from .bitfolk.com to sub-domains.
>
> - Impossible for the customer to add extra DNS records like CNAME,
> MX, AAAA, SRV, TXT or anything that might be generally useful in
> one's own domain.
>
> HSTS is the real killer so far, so in January we introduced
> the domain bitfolk.space and started putting customers who didn't
> have a preference into vps.bitfolk.space instead, copying over all
> existing records from under vps.bitfolk.com.
>
> We aren't going to enforce HSTS or anything like that on
> bitfolk.space. At some point we will deprecate vps.bitfolk.com. I
> still do not recommend long-term use of host names under
> vps.bitfolk.space.
>
> HSTS etc won't be removed from bitfolk.com. It was a bad idea to
> ever put customer stuff inside bitfolk.com.
Aye, live and learn! Could you move jandj.vps.bitfolk.com over to .space please? (or do I need to email via the official support address for that..)
Jess
