[00:59] <mercutio> odd so randomly sometimes it just doesn't work and 404s?
[01:42] *** ziyourenxiang has joined #arpnetworks
[05:59] <mhoran> OK, I think it was some combination of weird cached things and then redirects that weren't working. https://graphs.arpnetworks.com just redirects to arpnetworks.com, and I think the HSTS somewhere was then getting cached.
[05:59] <mhoran> But if I go to https://graphs.arpnetworks.com/cacti/ it works.
[06:00] <mhoran> (After clearing all my cache and history.)
[09:14] *** ziyourenxiang has quit IRC (Ping timeout: 246 seconds)
[10:00] <brycec> For me, https://graphs.arpnetworks.com does NOT redirect to arpnetworks.com, it redirects to /cacti/. Also, it's not serving an HSTS header.
[10:01] <brycec> But if I try http://graphs.arpnetworks.com
[10:01] <brycec> But if I try http://graphs.arpnetworks.com it DOES redirect to arpnetworks.com. (And no HSTS header in that response, or the response from https://arpnetworks.com)
[10:02] <brycec> ^ I've had this same issue with portal.arpnetworks.com -- I type "portal.arpnetworks.com" in my browser and end up at https://arpnetworks.com, but if I make sure to type https://portal.arpnetworks.com I end up where I wanted to be.
[10:03] <brycec> Long story short... (portal|graphs).arpnetworks.com:80 really ought to redirecto the https://&:443 and _not_ https://arpnetworks.com, very jarring user experience
[10:03] <mhoran> +1
[10:03] <mhoran> Yeah I just presumed an HSTS header because of how it was behaving and I was confused.
[10:03] <brycec> I think ARP used to have an HSTS header but with not all the subdomains setup for https, they pulled it because they weren't comfortable.
[13:40] <mercutio> i think hsts was only ever on the main web site
[13:41] <mercutio> lg.arpnetworks.com doesn't have https
[13:59] <brycec> Right, right. That's my recollection as well. BUT HSTS is typically recomended with "includeSubdomains" (IIRC) flag set so it causes browsers to assume *.arpnetworks.com are HSTS
[15:52] <mercutio> ah
[15:52] <mercutio> to my mind what is better is when you get put into google etc with HSTS
[15:52] <mercutio> like prepopulating
[16:32] <brycec> mercutio: You're referring to https://hstspreload.org/ ?
[16:33] <brycec> Of course, the easy way into that is to just have a domain under a TLD that's preloaded.
[16:33] <mercutio> looks to be
[16:34] <mercutio> i don't remember it being quite so easy
[16:34] <brycec> It's been quite that easy for a few years now :P
[16:34] <mercutio> it needs includesubdomains for that
[16:36] <mercutio> maybe doing includesubdomains isn't such a bad idea, thoughts, up_the_irons ?
[16:38] <brycec> mercutio: No there are whole TLDs that are on the list already. Like .dev and .vodka
[16:38] <brycec> I think arpnetworks.vodka has a nice ring to it
[16:38] <mercutio> haha
[16:39] <mercutio> i didn't know that
[16:39] <brycec> .google is another well-known (I think) [g]TLD that's on the HSTS list. With or without server headers, every web page served from a *.google domain is automatically HSTS'd, including all subdomains etc
[16:39] <mercutio> i didn't know there was a .google even
[16:39] <mercutio> so many new TLD now!
[16:39] <mercutio> tbh i don't pay much attention to domain names anymore
[16:39] <mercutio> i use google to search for what i want generally
[16:41] <brycec> oof the HSTS list has grown quite a bit since I last looked https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
[16:44] <brycec> (Correction, .vodka is not on the HSTS list, I misread something)
[16:48] <mercutio> i prefer gin
[16:50] <mercutio> that's pretty cool
[16:51] *** ziyourenxiang has joined #arpnetworks
[18:56] *** ziyourenxiang has quit IRC (Remote host closed the connection)