3 1. visit an ikiwki site like <http://ikiwiki.info/> or <http://git-annex.branchable.com/>
4 2. trigger the login page by accessing preferences or trying to edit something
5 3. login page is served without encryption
7 Firefox gives all kinds of warnings for unencrypted login pages.
9 The fix is for the login page to redirect to the https version of the wiki before showing the login form.
11 > This is web server configuration for those sites, so not really a bug in the
12 > ikiwiki software. If you run an ikiwiki instance and you have a browser-trusted certificate,
15 > * setting the `url` and `cgiurl` options to `https://...`
16 > * configuring your web server (frontend web server if you are using a reverse-proxy)
17 > to redirect from `http://...` to `https://...` automatically, possibly excluding
18 > `/.well-known/acme-challenge/` to make it easier to bootstrap Let's Encrypt certificates
20 > In [ikiwiki-hosting](https://ikiwiki-hosting.branchable.com/) the latter can be achieved
21 > by setting the `redirect_to_https` option to `1`.
23 > When not using ikiwiki-hosting, the ikiwiki software does not control the web server
24 > configuration, so it can't do this for you. The CGI script could redirect from http
25 > to https if it knew you had a browser-trusted certificate, but it can't know that
26 > unless you tell it (by setting `url` and `cgiurl`), and there's the potential for
27 > infinite redirect loops in misconfigured reverse-proxy setups if it did that
28 > (see [[bugs/login problem redux]]), so I think this is better solved at the web
31 > The operator of ikiwiki.info and branchable.com can change the web server
32 > configuration for those sites, but other ikiwiki developers can't. --[[smcv]]