Title photo
frugal technology, simple living and guerrilla large-appliance repair

Regular blog here, 'microblog' there

Many of my traditional blog post live on this site, but a great majority of my social-style posts can be found on my much-busier microbloging site at updates.passthejoe.net. It's busier because my BlogPoster "microblogging" script generates short, Twitter-style posts from the Linux or Windows (or anywhere you can run Ruby with too many Gems) command line, uploads them to the web server and send them out on my Twitter and Mastodon feeds.

I used to post to this blog via scripts and Unix/Linux utilities (curl and Unison) that helped me mirror the files locally and on the server. Since this site recently moved hosts, none of that is set up. I'm just using SFTP and SSH to write posts and manage the site.

Disqus comments are not live just yet because I'm not sure about what I'm going to do for the domain on this site. I'll probably restore the old domain at first just to have some continuity, but for now I like using the "free" domain from this site's new host, NearlyFreeSpeech.net.

Wed, 09 Jan 2019

Migrating this blog to https

There's really no reason to migrate this blog from http to https, but I'm doing it anyway. At least temporarily.

My hosting company now supports free SSL out of the box without requiring you to purchase a certificate. Let's Encrypt made it stupid for them to hold out. They probably got 100 requests a week to install Let's Encrypt certificates, and they were actually charging money to do that.

I made the required changes in my .htaccess file.

Two things didn't work. I could probably live with both, but they can be fixed.

I run this site using Ode, and I modifed my ode_config file to include https. That was easy.

First, I am already redirecting a cgi script to a folder (so the .cgi path doesn't show).

But when I added the rules to 'force' https, they broke when forcing https on the root directory.

What I mean is that a reader who typed in stevenrosenberg.net/blog would instead get the formerly hidden path to the .cgi file.

I solved that with a permanent redirect in the .htaccess.

Here is what I have in .htaccess right now:

RewriteEngine on
RewriteRule ^blog/?(.*)$ /cgi-bin/ode.cgi/$1 [QSA]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*) https://stevenrosenberg.net/$1 [R=301,L]
Redirect permanent http://stevenrosenberg.net//cgi-bin/ode.cgi/ https://stevenrosenberg.net/blog
Options -Indexes

That worked for this blog, but it broke some other things unrelated to it.

The change from http to https also broke comments by Disqus, which sees this as a full URL change. If I stayed with https, I would have to migrate my "old" comments to the new https entries and change the configuration for Disqus to allow for new comments.

At the moment this site isn't a big comment magnet, so I'm going to put this part of the migration on hold until I am sure I want to stay with https. This site is a blog with zero interactivity besides the Disqus comments, and that doesn't really make https a necessity. I'm not asking you for any information whatsoever. Only Disqus does that, and either you trust them, or you don't.

Maybe https prevents some kinds of attacks on this site, but if it goes pear-shaped, I'll notice, and that could happen any number of other ways. In some sense, https could be giving people on all sides a false sense of security. But if all goes right (and, axiomatically, nothing goes wrong), https adds some measure of security.

Update: I turned https off again. It broke a bunch of non-Ode things I have on this domain, and it's just not worth it. For future projects, I will use https, but for now this domain is better without it.