On Apr 9, 2021, at 9:37 AM, Johnny Hughes johnny@centos.org wrote:
donated machines that are part of the mirror.centos.org dns name.
My key incorrect assumption was that this is just a front end, and all of the actual file pulls came from other second-level domains. I didn’t realize you were allowing other organizations to masquerade as centos.org.
The usual solution to this sort of problem is to set up another domain; centosmirrors.org or similar. Then you can separately manage the key spaces of the two domains.
This sort of design also solves certain types of CORS and XSS problems, such as third-parties getting sent cookies for the main site they haven’t actually got any business seeing, because the HTTP client can’t tell the difference.
This is why you’ll find your uploads to social media sites being served back from domains other than the main user-facing one: it’s user-provided content, so they refuse to ship it from the domain that handles authentication.
we do sign the metadata .. so you can make sure the rpms, no matter their origin, are real if you enable signed repodata
I wasn’t worried about that. I just wanted to use HTTPS to hide the RPM data from the site’s overly paranoid “translucent” HTTP gateway proxy, so it wouldn’t block the download.