Use https as default

[acka47]

Like written in hbz/lobid-organisations#263 (for lobid-organisations) we should implement https as default in all our major services (lobid-resources, nwbib, lobid-authorites etc.).

[acka47]

I have the suspicion that NWBib hits are declining heaviliy because we don't make it https by default. Obviously, google doesn't even index NWBib much anymore (8xxx), see https://www.google.de/search?source=hp&q=site%3Anwbib.de (On the other hand, most of the indexed pages are https.)

[dr0i]

I have the suspicion that the search engines note that a link into a catalog is not what most users want when searching internet resources. But anyway.
Not sure if http status code 301 (Moved permanently) is what we want, as it is stated in https://en.wikipedia.org/wiki/HTTP_301 that:

links or records using the URL that the response is received for should be updated

which we ourselves won't do (I mean: using https-resource-URIs).
But then this status code seems to be most appreciated by the internet search giants. So. Test this:

http://test.nwbib.de/HT019242018
http://stage.lobid.org/resources/HT019242018
http://stage.lobid.org/organisations/DE-5

I don't use the permanent redirect in production yet because there is an web-app issue (play.api.Application$$anon$1: Execution exception[[ConnectException: HostnameVerifier exception.]] )like that described in "https://stackoverflow.com/questions/37630975/play-framework-ws-call-to-https-restful-api-throwing-exception-on-production".

[dr0i]

Maybe its also correlated to https://stackoverflow.com/questions/19288803/trust-all-ssl-certificates-in-java-playframework-2-2.
To reproduce:
You can use the stage.lobid.org in test.nwbib.de for stage.lobid is configured with the https-redirect (which causes the problems).
Or, if you want to configure production vhosts, just add

RewriteCond %{HTTPS} !on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301]

to them conf's and restart graceful.

Note that for nwbib the http-redirects are productive, see e.g. http://nwbib.de/HT019242018.

[acka47]

Not sure if http status code 301 (Moved permanently) is what we want, as it is stated in https://en.wikipedia.org/wiki/HTTP_301 that:

links or records using the URL that the response is received for should be updated

I think we should use 301. We should just make sure that all internal lobid links in the HTML are HTTPS. Most of them already are but not all.

The JSON we serve is JSON-LD (Linked Data) we are using HTTP URIs as discussed in hbz/lobid-organisations#263 because it seems to be best practice.

[acka47]

We still don't have https as default, see also hbz/lobid-organisations#263. As written in https://go-to-hellman.blogspot.de/2017/09/prepare-now-for-topical-storm-chrome-62.html our search boxes are now labeled as "not secure" in Chrome.

[acka47]

We should just implement this. It is time.

[dr0i]

Https as default for:

• lobid-resources
• lobid-organisations
• nwbib
• lobid-gnd
• lobid.org webpages

[dr0i]

@acka47 please have a look, all should be redirected permanently to https.

[acka47]

We reverted the change as it meant a huge API break and looking at the logs, several clients did not follow the redirect. Thus, we should only implement this change after an announcement and time to adjust clients (if at all).
I opened #401 to at least only use https Links in the HTML.

[dr0i]

Closing this issue.