[tor-mirrors] HSTS for a tor mirror
Roger Dingledine
arma at mit.edu
Wed Jan 3 00:13:18 UTC 2018
On Sun, Dec 31, 2017 at 04:31:00PM +0100, Valentin Brandl wrote:
> Hi there,
> I'm starting to build a mirror for the tor project. The instructions
> page states `Try not to redirect http to https. Many places in the world
> cannot use https due to local or national firewalls`.
>
> Since there should be no redirect, should I also stop sending HSTS
> headers when the page is visited via https? Also should or shouldn't I
> insert my site into the HSTS preload list?
Thanks everybody for the useful discussion here.
I think the right answer for mirror providers is "each person should
do whatever they think is best/easiest" -- that should result in some
diversity, where hopefully there will be some mirrors that can handle
whatever weird situation the censored users find themselves in.
If somebody wants to write a patch for the mirror page:
https://gitweb.torproject.org/project/web/webwml.git/plain/docs/en/running-a-mirror.wml
so it says more reasonable things, that would be great.
Thanks!
--Roger
More information about the tor-mirrors
mailing list