-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In article 18849937.7157.1297583642909.JavaMail.root@benjamin.baylink.com, Jay Ashworth jra@baylink.com wrote:
Yeah, secure.wikimedia.org's URL scheme isn't really friendly to outsiders. Historically, this is because SSL certificates are expensive, and there just wasn't enough money in the budget to get more of them for the top-level domains. Maybe this isn't the case anymore.
Is that in fact the root cause, Chad? I assumed, myself, that it's because of the squid architecture.
LVS is in front of Squid, so it would be fairly simple to send SSL traffic (port 443) to a different machine; which is how secure.wm.o works now, except that instead of using LVS, it requires a different hostname.
However, I think the idea is not to start allowing https://en.wikipedia.org URLs until there's a better SSL infrastructure which can handle the extra load an easy-to-use, widely advertised SSL gateway is likely to create. secure.wm.o is currently a single machine and sometimes falls over, e.g. when Squid breaks for some reason and people notice that secure still works.
SSL certificates aren't that cheap, but only about 8 would be needed (one for each project, e.g. *.wikipedia.org), so the cost isn't prohibitive anymore.
- river.