[HTTPS-E Rulesets] Caltech and UCSD updates (etc.)
Christopher Liu
cmliu00151 at gmail.com
Fri Aug 31 23:20:05 PDT 2012
To whom it may concern:
I put off communicating about the Caltech/UCSD rulesets because I was
busy examining other issues.
As usual, please do actually read the attachments - what's here is a
brief summary for convenience. In particular, this does not include
the various commenting tweaks.
I haven't gotten around to watching all commit activity on these
rulesets, so I might not be meeting all style guidelines.
Caltech:
Add blanket rewrite for websites.caltech.edu (this is used by the "A-Z
Site Index" feature, e.g. https://websites.caltech.edu/research-group
)
Add certain parts of directory.caltech.edu; the site "nominally works"
but requires login to view any search results over https, which is why
a blanket rewrite is unsuitable.
Also point several favicons to the identical-looking one on
directory.caltech.edu
(Also, imss-test-storage.ads.caltech.edu.s3.amazonaws.com needs to be
excluded in the AWS ruleset. It is used on the www.imss.caltech.edu
homepage for the colored bullets on the System Status items, at
least.)
--
UCSD:
Remove nonexistent cri.ucsd.edu, www.hdh.ucsd.edu, www.roger.ucsd.edu
(the !www equivalents of the last two do still exist/work)
Expand coverage to full domains for health.ucsd.edu, libraries.ucsd.edu
Consolidate a couple regexes for (www[\-\.])?structures\.ucsd\.edu
Add quite a large number of blanket rewrites
Add coverage for all of academicaffairs.ucsd.edu except for pages with
Single Sign-On-related breakage
Handle all the file extensions htm/html/shtml for ACMS redirector pages
BTW, I suggest adding a comment to University-of-California.xml to
specify that UCSD has a separate ruleset.
--
Other defects:
-Gawker: The rule covering api.gawker.com causes the comment area to
fail to load - see any individual Gizmodo article, e.g.
http://gizmodo.com/5928558/lets-see-how-well-youtubes-real+name-comment-policy-is-working
-Imgur: Some pages still redirect to http, for example
http://imgur.com/faq ; see the links directly below the "View images"
box on the homepage
-London 2012: The rule that deals with the "festival" subdomain has
the second domain level of its target mistyped as "london2002."
-Nrelate: The rule that rewrites to img.nrelate.com causes images to
load very slowly and often time out. This problem didn't always exist,
and I've tried from two different ISPs, so I assume "something broke"
recently... See, for example,
http://mysteriousuniverse.org/2011/03/aquatic-humanoids-progeny-of-the-black-lagoon-or-alternate-evolution/
(in the related links between the article text and comments section)
-NYTimes: Some/most www.boston.com news stories show blank pages, e.g.
www.boston.com/ae/celebrity/articles/2010/01/14/cheers_to_the_end_of_finnegans_wake/
-Quantcast: edge.quantserve.com should be rewritten to
secure.quantserve.com, according to the current official JavaScript
code for use on each page. For example, www.cracked.com contains said
code; more examples can be found by querying your favorite search
engine for "document.location.protocol" "quantserve.com" (all in one
query, with the quotes).
Other enhancements:
-Floor64: cdn.techdirt.com now works in https and no longer needs to
be rewritten to www.
-McAfee: Please split images.scanalert.com to a separate ruleset, as
it does not suffer from the problems associated with the other McAfee
domains.
-Mozilla: The Mozilla Addons site is now using addons.cdn.mozilla.net
for image content; this should probably be added to the rule that
deals with other mozilla.net subdomains. (Also regarding that rule, it
appears that video-cdn was a typo for videos-cdn.)
As usual, sorry for all the burden that I am causing ... thank you
very much for your help.
C. Liu
-------------- next part --------------
<ruleset name="Caltech (partial)">
<!-- (-fill in contact info as appropriate-)
My ability to test is limited in that I have graduated from Caltech.
This should probably be labeled as "partial" until academic departments
and research groups have been thoroughly investigated.
For rules that are problematic, see Caltech-mismatches.xml.
An university using Amazon Web Services? This is madness...
Found on www:
- cit.s3.amazonaws.com (works)
Found on www.imss:
- imss-test.s3.amazonaws.com (works)
- imss-test-storage.ads.caltech.edu.s3.amazonaws.com
(doesn't work when rewritten by the AWS ruleset)
- imss-website-storage.cloud.caltech.edu.s3-us-west-1.amazonaws.com
(!valid as is; imss-website-storage.cloud.caltech.edu redirects there)
HTTPS Finder test failures:
- alumnus
- donut
- www.eas
- emergency (redirects to www.caltech.edu/emergency/)
- www.imss
- irc (redirects to www.ctme.caltech.edu, which fails)
- www
-->
<!-- normally https only; protect against sslstripping -->
<target host="access.caltech.edu" />
<target host="alumni.caltech.edu" />
<target host="www.alumni.caltech.edu" />
<target host="courses.caltech.edu" />
<target host="irsecure.caltech.edu" />
<target host="mail.alumni.caltech.edu" />
<target host="tqfr.caltech.edu" />
<target host="utils.its.caltech.edu" />
<target host="webmail.caltech.edu" />
<target host="webvpn.caltech.edu" />
<!-- XXX: These sites are only for faculty and/or staff.
Some may require Internet Explorer, so this list may not be useful.
www.imss.caltech.edu previously listed these under System Status; where's the equivalent listing on the redesigned site?
The following need to be investigated: outlookweb, kronos, kronoslimited, fiji, jobs
(some may be redirectors; at least fiji uses a nonstandard port (9030)) -->
<target host="techne1.caltech.edu" />
<target host="business-query.caltech.edu" />
<target host="nassau.caltech.edu" />
<target host="pcard.caltech.edu" />
<target host="scriptor.caltech.edu" />
<!-- supports https but doesn't enforce it on all pages -->
<target host="www.its.caltech.edu" />
<target host="websites.caltech.edu" />
<!-- supports https incompletely and/or with functionality problems -->
<target host="directory.caltech.edu" />
<!-- rules that cover favicons only -->
<target host="caltech.edu" />
<target host="www.caltech.edu" />
<target host="finaid.caltech.edu" />
<target host="www.finaid.caltech.edu" />
<target host="imss.caltech.edu" />
<target host="www.imss.caltech.edu" />
<target host="tech.caltech.edu" />
<!-- redirectors -->
<target host="www.access.caltech.edu" />
<target host="its.caltech.edu" />
<target host="moodle.caltech.edu" />
<!-- cert !match www. -->
<rule from="^http://(?:www\.)?access\.caltech\.edu/" to="https://access.caltech.edu/" />
<!-- alumni.caltech.edu/~foo/bar (with any tilde-folder) redirects to the same path on alumnus.caltech.edu, which lacks https
However, no breakage results from protecting the initial hit -->
<rule from="^http://(www\.|mail\.)?alumni\.caltech\.edu/" to="https://$1alumni.caltech.edu/" />
<rule from="^http://(?:courses|moodle)\.caltech\.edu/" to="https://courses.caltech.edu/" />
<!-- irsecure might no longer be used on the redesigned alumni pages -->
<rule from="^http://irsecure\.caltech\.edu/" to="https://irsecure.caltech.edu/" />
<rule from="^http://tqfr\.caltech\.edu/" to="https://tqfr.caltech.edu/" />
<rule from="^http://utils\.its\.caltech\.edu/" to="https://utils.its.caltech.edu/" />
<rule from="^http://webmail\.caltech\.edu/" to="https://webmail.caltech.edu/" />
<rule from="^http://webvpn\.caltech\.edu/" to="https://webvpn.caltech.edu/" />
<rule from="^http://techne1\.caltech\.edu/" to="https://techne1.caltech.edu/" />
<rule from="^http://business-query\.caltech\.edu:8181/" to="https://business-query.caltech.edu:8181/" />
<rule from="^http://nassau\.caltech\.edu:4444/" to="https://nassau.caltech.edu:4444/" />
<rule from="^http://pcard\.caltech\.edu/" to="https://pcard.caltech.edu/" />
<rule from="^http://scriptor\.caltech\.edu/" to="https://scriptor.caltech.edu/" />
<!-- cert only matches www. -->
<rule from="^http://(?:www\.)?its\.caltech\.edu/" to="https://www.its.caltech.edu/" />
<rule from="^http://websites\.caltech\.edu/" to="https://websites.caltech.edu/" />
<!-- TODO: Many more sites use this "generic Caltech logo" favicon; which ones exactly?
Examples that are not quite equivalent:
- nanofab.caltech.edu/templates/ja_purity/favicon.ico (has transparent background) -->
<rule from="^http://(?:www\.)?caltech\.edu/sites/all/themes/caltech/favicon\.ico$"
to="https://directory.caltech.edu/favicon.ico" />
<rule from="^http://(?:www\.)?finaid\.caltech\.edu/favicon\.ico$"
to="https://directory.caltech.edu/favicon.ico" />
<rule from="^http://(?:www\.)?imss\.caltech\.edu/misc/favicon_cit\.ico$"
to="https://directory.caltech.edu/favicon.ico" />
<rule from="^http://tech\.caltech\.edu/wp-content/uploads/favicon\.ico$"
to="https://directory.caltech.edu/favicon.ico" />
<!-- Responsive with valid cert, but requires login to view *any* search results over https
Normally (over http), only some information is campus/login-restricted. Thus, do not rewrite the cgi-bin folder.
Form actions use relative paths; thus, do not rewrite the homepage nor the advanced search page.
There is a "files" folder, but its contents are campus-restricted.
Leaving it out for now in case it breaks in a way similar to the search feature (an SSL terminator might be involved)
Are there any images in formats other than GIF? -->
<rule from="^http://directory\.caltech\.edu/departmental_directory" to="https://directory.caltech.edu/departmental_directory" />
<rule from="^http://directory\.caltech\.edu/(.+)\.(css|gif|ico|js)$" to="https://directory.caltech.edu/$1.$2" />
<rule from="^http://directory\.caltech\.edu/(EmergencyInfo|Telephone|Auditoriums|StudentHouses|CampusShuttle|Changes|Policy)\.html$"
to="https://directory.caltech.edu/$1.html" />
</ruleset>
-------------- next part --------------
<ruleset name="UCSD">
<!-- Everything except www-cse written by Christopher Liu (-fill in email addr here if you think it's appropriate-)
I do not hold any official UCSD staff position. -->
<!-- For other UC System coverage, see University-of-California.xml.
Domains also used by other universities:
E-Check uses quikpayasp.com
TritonCash uses services.jsatech.com
Do any other Universities of California use uc.sumtotalsystems.com (to which uclearning ultimately redirects)?
-->
<!--
TODO: These have some https support/enforcement or redirect to other domains that do.
Not all have public content at root level.
<target host="animalcare.ucsd.edu" /> (may already enforce https; requires login via Single Sign-On)
<target host="apol-recruit.ucsd.edu" />
<target host="iacucdataservice.ucsd.edu" /> (SAN with iacuc.ucsd.edu)
<target host="m.ucsd.edu" /> (mobile redirection script supports https because it is used on TritonLink;
homepage redirects to mobile.ucsd.edu on desktop platforms)
<target host="myapplication.ucsd.edu" /> (undergraduate application?)
<target host="myforms.ucsd.edu" /> (hit during TritonLink logout)
<target host="podcast.ucsd.edu" /> (responsive w/ valid cert, but might have Flash-related breakage)
<target host="ogs-calendar.ucsd.edu" />
<target host="ogs-student.ucsd.edu" />
<target host="siebel.ucsd.edu" />
<target host="soeadm.ucsd.edu" /> (CNAME and SAN w/ jacobsstudent; does it have any public content?)
<target host="ucsdrady.askadmissions.net" /> ("VIP Page Log-In" on rady)
<target host="vac.ucsd.edu" /> (Virtual Advising Center - redirects to some page in aventeur)
<target host="vcsaforms.ucsd.edu" /> (hit during TritonLink logout)
<target host="webct.ucsd.edu" /> (redirector; check behavior when logged in vs. out)
<target host="webctweb.ucsd.edu" /> (superseded by ted)
<target host="www-no.ucsd.edu" /> (Network Operations, used by ResNet registration etc. not sure if https enforced.
There are some links to www-ono.ucsd.edu too - Old Network Operations?)
The following subdomains were added when the oec-vmweb03 cert was renewed: mas-admit wes www-mae www.mae
Does ucsd-csm.symplicity.com have any insecure redirectors pointing at it?
TritonLink used to be called StudentLink according to https://sites.google.com/site/ucsdecegsc/information-for-new-students/tips-for-new-students
This info is several years old and not worth worrying about.
-->
<!--
Nonfunctional with known symptoms:
- adminrecords (valid cert; shows non-Single-Sign-On login page which may only accept staff logins)
- emerald (self-signed, 401; https has different content for private use only)
Many other research-group sites probably behave similarly.
- irps (valid cert; redirects to Single Sign-On "An error occurred")
HTTPS Finder test failures:
abet alumni battlehate biology campusclimate ccl chancellor circuit coi cosmal courses dah diversity ethics extension facultyequity gcr ia iaccess insci14 invent www.jacobsschool
muir ocga3 ogs pharmacy physicalsciences research scrippseducation www.sio som stage-chancellor stemcells stuartcollection studenthealth summersession sustain tritoncash ucsdnews universitycenters volunteer50
www.ucsdbus.com (may be operated by a third party)
www.ucsdtritons.com
(extension has *some* login-based features which use https)
There are undoubtedly several more domains that support https (due to "the campus CMS" covering them via wildcard)
and many more that are nonfunctional.
-->
<!-- normally https only; protect against sslstripping -->
<target host="a4.ucsd.edu" />
<target host="acs-webmail.ucsd.edu" />
<target host="altng.ucsd.edu" />
<target host="aventeur.ucsd.edu" />
<target host="cinfo.ucsd.edu" />
<target host="facilities.ucsd.edu" />
<target host="gradapply.ucsd.edu" />
<target host="graduateapp.ucsd.edu" />
<target host="jacobsstudent.ucsd.edu" />
<target host="myucsdchart.ucsd.edu" />
<target host="sdacs.ucsd.edu" />
<target host="shs.ucsd.edu" />
<target host="ted.ucsd.edu" />
<target host="ucsdbkst.ucsd.edu" />
<target host="ucsd-csm.symplicity.com" />
<!-- supports https but doesn't enforce it on all pages -->
<!-- on oec-vmweb03.ucsd.edu
Cert lists domains individually; rules not written for oec-vmweb03.ucsd.edu itself and ece-internal.ucsd.edu -->
<target host="cs.ucsd.edu" />
<target host="www.cs.ucsd.edu" />
<target host="cse.ucsd.edu" />
<target host="www.cse.ucsd.edu" />
<target host="ece.ucsd.edu" />
<target host="www.ece.ucsd.edu" />
<target host="maeweb.ucsd.edu" />
<target host="nanoengineering.ucsd.edu" />
<target host="www.nanoengineering.ucsd.edu" />
<target host="ne-web.ucsd.edu" />
<target host="ne.ucsd.edu" />
<target host="neweb.ucsd.edu" />
<target host="se.ucsd.edu" />
<target host="structures.ucsd.edu" />
<target host="www.structures.ucsd.edu" />
<target host="www-cs.ucsd.edu" />
<target host="www-cse.ucsd.edu" />
<target host="www-ne.ucsd.edu" />
<target host="www-structures.ucsd.edu" />
<!-- others
the campus CMS has canonical names (www|cw-portal).dr-link.ucsd.edu (both point to same IP address)
its cert contains a wildcard; TODO document which domains are actually hosted there -->
<target host="ucsd.edu" />
<target host="www.ucsd.edu" />
<target host="a.ucsd.edu" />
<target host="aba.ucsd.edu" />
<target host="acms.ucsd.edu" />
<target host="blink.ucsd.edu" />
<target host="blog.ucsd.edu" /><!-- now redirects to WordPress.com blogs, but does its job correctly in https -->
<target host="bookstore.ucsd.edu" />
<target host="www.bookstore.ucsd.edu" />
<target host="career.ucsd.edu" />
<target host="cgs.ucsd.edu" />
<target host="chd.ucsd.edu" />
<target host="cwo.ucsd.edu" />
<target host="disabilities.ucsd.edu" />
<target host="friends.ucsd.edu" />
<target host="giving.ucsd.edu" />
<target host="hdh.ucsd.edu" />
<target host="hds.ucsd.edu" />
<target host="www.hds.ucsd.edu" />
<target host="health.ucsd.edu" />
<target host="iacuc.ucsd.edu" />
<target host="ihouse.ucsd.edu" />
<target host="iphone.ucsd.edu" />
<target host="japan.ucsd.edu" />
<target host="judaicstudies.ucsd.edu" />
<target host="libraries.ucsd.edu" />
<target host="marshall.ucsd.edu" />
<target host="meded.ucsd.edu" />
<target host="mobile.ucsd.edu" />
<target host="ombuds.ucsd.edu" />
<target host="parents.ucsd.edu" />
<target host="preuss.ucsd.edu" />
<target host="rady.ucsd.edu" />
<target host="revelle.ucsd.edu" />
<target host="roger.ucsd.edu" />
<target host="roosevelt.ucsd.edu" />
<target host="sciencestudies.ucsd.edu" />
<target host="sixth.ucsd.edu" />
<target host="socialsciences.ucsd.edu" />
<target host="status.ucsd.edu" />
<target host="students.ucsd.edu" />
<target host="uxt.ucsd.edu" />
<target host="warren.ucsd.edu" />
<target host="yamhill.ucsd.edu" />
<!-- supports https incompletely and/or with functionality issues -->
<target host="academicaffairs.ucsd.edu" />
<!-- Modules/Evals/ and other Modules pages require login.
In https, they are treated by Single Sign-On as business-only applications, preventing students from logging in.
Shibboleth.sso is a POST request that Single Sign-On sends after verifying the login info, which breaks if the protocol is changed. -->
<exclusion pattern="^http://academicaffairs\.ucsd\.edu/(Modules|Shibboleth\.sso)/" />
<target host="act.ucsd.edu" />
<target host="studenthealth.ucsd.edu" />
<target host="www-act.ucsd.edu" />
<!-- alternate names and redirectors
TODO: full Link Family list at blink.ucsd.edu/technology/help-desk/applications/link-family/list.html -->
<target host="academicintegrity.ucsd.edu" />
<target host="accesslink.ucsd.edu" />
<target host="acs.ucsd.edu" />
<target host="desktop.ucsd.edu" />
<target host="emergency.ucsd.edu" />
<target host="financiallink.ucsd.edu" />
<target host="iwdc.ucsd.edu" />
<target host="marketplace.ucsd.edu" />
<target host="management.ucsd.edu" />
<target host="mediaservices.ucsd.edu" />
<target host="mytritonlink.ucsd.edu" />
<target host="www.mytritonlink.ucsd.edu" />
<target host="resnet.ucsd.edu" />
<target host="software.ucsd.edu" />
<target host="sysstaff.ucsd.edu" />
<target host="tritonlink.ucsd.edu" />
<target host="www.tritonlink.ucsd.edu" />
<target host="uclearning.ucsd.edu" />
<target host="webmail.ucsd.edu" />
<target host="www-acs.ucsd.edu" />
<!-- a4 is the Single Sign-On system (login pages and some embedded scripts). It doesn't yet flag its cookies as https-only.
acs-webmail uses at least two cookies, only one of which is normally flagged https-only. Additionally, it has cross-domain Google Analytics cookies
(TODO: need to add targets if we actually want to match those).
-->
<securecookie host="^(.*\.)?a(4|cs-webmail)\.ucsd\.edu$" name=".*" />
<rule from="^http://a4\.ucsd\.edu/" to="https://a4.ucsd.edu/" />
<rule from="^http://(?:acs-)?webmail\.ucsd\.edu/" to="https://acs-webmail.ucsd.edu/" />
<rule from="^http://altng\.ucsd\.edu/" to="https://altng.ucsd.edu/" />
<rule from="^http://aventeur\.ucsd\.edu/" to="https://aventeur.ucsd.edu/" />
<rule from="^http://cinfo\.ucsd\.edu/" to="https://cinfo.ucsd.edu/" />
<rule from="^http://facilities\.ucsd\.edu/" to="https://facilities.ucsd.edu/" />
<rule from="^http://gradapply\.ucsd\.edu/" to="https://gradapply.ucsd.edu/" />
<rule from="^http://graduateapp\.ucsd\.edu/" to="https://graduateapp.ucsd.edu/" />
<rule from="^http://jacobsstudent\.ucsd\.edu/" to="https://jacobsstudent.ucsd.edu/" />
<rule from="^http://myucsdchart\.ucsd\.edu/" to="https://myucsdchart.ucsd.edu/" />
<rule from="^http://sdacs\.ucsd\.edu/" to="https://sdacs.ucsd.edu/" />
<rule from="^http://shs\.ucsd\.edu/" to="https://shs.ucsd.edu/" />
<rule from="^http://ted\.ucsd\.edu/" to="https://ted.ucsd.edu/" />
<rule from="^http://ucsdbkst\.ucsd\.edu/" to="https://ucsdbkst.ucsd.edu/" />
<rule from="^http://ucsd-csm\.symplicity\.com/" to="https://ucsd-csm.symplicity.com/" />
<rule from="^http://(www\.)?ucsd\.edu/" to="https://$1ucsd.edu/" />
<rule from="^http://a\.ucsd\.edu/" to="https://a.ucsd.edu/" />
<rule from="^http://aba\.ucsd\.edu/" to="https://aba.ucsd.edu/" />
<rule from="^http://acms\.ucsd\.edu/" to="https://acms.ucsd.edu/" />
<rule from="^http://blink\.ucsd\.edu/" to="https://blink.ucsd.edu/" />
<!-- Blogs formerly hosted here now redirect as follows:
acs/ to acmsblog.wordpress.com
resnet/ to acmsresnet.wordpress.com -->
<rule from="^http://blog\.ucsd\.edu/" to="https://blog.ucsd.edu/" />
<!-- Cert doesn't match www -->
<rule from="^http://(?:www\.)?bookstore\.ucsd\.edu/" to="https://bookstore.ucsd.edu/" />
<rule from="^http://career\.ucsd\.edu/" to="https://career.ucsd.edu/" />
<rule from="^http://cgs\.ucsd\.edu/" to="https://cgs.ucsd.edu/" />
<rule from="^http://chd\.ucsd\.edu/" to="https://chd.ucsd.edu/" />
<rule from="^http://(www[\-\.])?cs(e)?\.ucsd\.edu/" to="https://$1cs$2.ucsd.edu/" />
<rule from="^http://cwo\.ucsd\.edu/" to="https://cwo.ucsd.edu/" />
<rule from="^http://disabilities\.ucsd\.edu/" to="https://disabilities.ucsd.edu/" />
<!-- Same content on all ports/protocols handled here
Various links from other departments' websites, old PDF files... specified port 16080.
Some such links may now be broken (404) regardless of protocol, due to site design changes, which is not our problem -->
<rule from="^http://(www\.)?ece\.ucsd\.edu(?::16080)?/" to="https://$1ece.ucsd.edu/" />
<rule from="^http://friends\.ucsd\.edu/" to="https://friends.ucsd.edu/" />
<rule from="^http://giving\.ucsd\.edu/" to="https://giving.ucsd.edu/" />
<!-- - Cert matches www.hdh.ucsd.edu which doesn't exist
- Doesn't match www.hds.ucsd.edu which does exist
- All resolve to the same address and show the same content
(Housing and Dining Services = Housing, Dining, and Hospitality) -->
<rule from="^http://hdh\.ucsd\.edu/" to="https://hdh.ucsd.edu/" />
<rule from="^http://(?:www\.)?hds\.ucsd\.edu/" to="https://hds.ucsd.edu/" />
<rule from="^http://health\.ucsd\.edu/" to="https://health.ucsd.edu/" />
<rule from="^http://iacuc\.ucsd\.edu/" to="https://iacuc.ucsd.edu/" />
<rule from="^http://ihouse\.ucsd\.edu/" to="https://ihouse.ucsd.edu/" />
<rule from="^http://iphone\.ucsd\.edu/" to="https://iphone.ucsd.edu/" />
<rule from="^http://japan\.ucsd\.edu/" to="https://japan.ucsd.edu/" />
<rule from="^http://judaicstudies\.ucsd\.edu/" to="https://judaicstudies.ucsd.edu/" />
<rule from="^http://libraries\.ucsd\.edu/" to="https://libraries.ucsd.edu/" />
<rule from="^http://maeweb\.ucsd\.edu/" to="https://maeweb.ucsd.edu/" />
<rule from="^http://marshall\.ucsd\.edu/" to="https://marshall.ucsd.edu/" />
<rule from="^http://meded\.ucsd\.edu/" to="https://meded.ucsd.edu/" />
<rule from="^http://mobile\.ucsd\.edu/" to="https://mobile.ucsd.edu/" />
<rule from="^http://(www\.)?nanoengineering\.ucsd\.edu/" to="https://$1nanoengineering.ucsd.edu/" />
<rule from="^http://ne(-?web)?\.ucsd\.edu/" to="https://ne$1.ucsd.edu/" />
<rule from="^http://ombuds\.ucsd\.edu/" to="https://ombuds.ucsd.edu/" />
<rule from="^http://parents\.ucsd\.edu/" to="https://parents.ucsd.edu/" />
<rule from="^http://preuss\.ucsd\.edu/" to="https://preuss.ucsd.edu/" />
<!-- management doesn't match the cert but has same content as rady -->
<rule from="^http://(?:management|rady)\.ucsd\.edu/" to="https://rady.ucsd.edu/" />
<rule from="^http://revelle\.ucsd\.edu/" to="https://revelle.ucsd.edu/" />
<rule from="^http://roger\.ucsd\.edu/" to="https://roger.ucsd.edu/" />
<rule from="^http://roosevelt\.ucsd\.edu/" to="https://roosevelt.ucsd.edu/" />
<rule from="^http://sciencestudies\.ucsd\.edu/" to="https://sciencestudies.ucsd.edu/" />
<rule from="^http://se\.ucsd\.edu/" to="https://se.ucsd.edu/" />
<rule from="^http://sixth\.ucsd\.edu/" to="https://sixth.ucsd.edu/" />
<rule from="^http://socialsciences\.ucsd\.edu/" to="https://socialsciences.ucsd.edu/" />
<rule from="^http://status\.ucsd\.edu/" to="https://status.ucsd.edu/" />
<rule from="^http://(www[\-\.])?structures\.ucsd\.edu/" to="https://$1structures.ucsd.edu/" />
<rule from="^http://students\.ucsd\.edu/" to="https://students.ucsd.edu/" />
<!-- Testing note: This probably has nothing useful at root level.
It stores various css/js files used on students
-->
<rule from="^http://uxt\.ucsd\.edu/" to="https://uxt.ucsd.edu/" />
<rule from="^http://warren\.ucsd\.edu/" to="https://warren.ucsd.edu/" />
<rule from="^http://www-ne\.ucsd\.edu/" to="https://www-ne.ucsd.edu/" />
<!-- Testing note: This probably has nothing useful at root level. It stores various files such as
https://yamhill.ucsd.edu/TPS/PDFs/shuttle_route_map.pdf
https://yamhill.ucsd.edu/TPS/shuttledrivers/index.html
https://yamhill.ucsd.edu/imprints/forms/supplies.html
-->
<rule from="^http://yamhill\.ucsd\.edu/" to="https://yamhill.ucsd.edu/" />
<rule from="^http://academicaffairs\.ucsd\.edu/"
to="https://academicaffairs.ucsd.edu/" />
<!-- Most of studenthealth.ucsd.edu does not enforce https.
The Ask-A-Question feature, located in the folder /secure/askaquestion/, does enforce https, and it requires login (via a4 page).
XXX: Does this still use ipsCA? If so...
This rule only protects against sslstripping. The cert error is NOT this rule's fault and would still occur without the rule.
-->
<rule from="^http://studenthealth\.ucsd\.edu/secure/"
to="https://studenthealth.ucsd.edu/secure/" />
<!-- Link Family has migrated from www-act to act. Redirection exists. Many student features have CamelCased names like studentDirectDeposit -->
<rule from="^http://(www-)?act\.ucsd\.edu/(bsl/home|cgi-bin/[A-Za-z]+link\.pl|classPlanner|marketplace-sso|mytritonlink/view|myTritonlink20|student[A-Z][A-Za-z]+/[A-Za-z]+|travellink/home)"
to="https://$1act.ucsd.edu/$2" />
<!-- Where applicable, err on the side of not breaking things, hoping that no subpages are used -->
<rule from="^http://academicintegrity\.ucsd\.edu/?$"
to="https://students.ucsd.edu/academics/academic-integrity/index.html" />
<rule from="^http://emergency\.ucsd\.edu/?$"
to="https://www.ucsd.edu/emergency/" />
<!-- Everything between this comment and the next one uses Single Sign-On login.
Replace www-act with act in these? -->
<rule from="^http://accesslink\.ucsd\.edu/"
to="https://altng.ucsd.edu/" />
<rule from="^http://financiallink\.ucsd\.edu/?$"
to="https://www-act.ucsd.edu/cgi-bin/financiallink.pl" />
<rule from="^http://marketplace\.ucsd\.edu/?$"
to="https://www-act.ucsd.edu/marketplace-sso/signon" />
<rule from="^http://(?:www\.)?(?:my)?tritonlink\.ucsd\.edu/?$"
to="https://act.ucsd.edu/myTritonlink20/display.htm" />
<rule from="^http://uclearning\.ucsd\.edu/"
to="https://a4.ucsd.edu/lms/" />
<!-- ACMS departments: Server redirects as so, aside from https.
These have subpages; resnet has been tested fairly well, but software and maybe iwdc need more testing.
Pages used to have file extension shtml; that currently redirects to html; also accept htm just to be safe -->
<rule from="^http://(desktop|iwdc|resnet|software|sysstaff)\.ucsd\.edu/"
to="https://acms.ucsd.edu/units/$1/" />
<!-- Previously located at acms.ucsd.edu/troublereport/, which now also redirects as so.
That redirection works from either protocol and is already protected by previous rules -->
<rule from="^http://(?:www-)?acs\.ucsd\.edu/troublereport(?:/(?:index\.s?html?)?)?$"
to="https://a.ucsd.edu/troublereport/" />
<rule from="^http://www-acs\.ucsd\.edu/(?:index\.s?html?)?$"
to="https://acms.ucsd.edu/index.html" />
<rule from="^http://www-acs\.ucsd\.edu/account-tools/oce-intro\.s?html?$"
to="https://acms.ucsd.edu/students/oce-intro.html" />
<rule from="^http://www-acs\.ucsd\.edu/instructional(?:/(?:index\.s?html?)?)?$"
to="https://acms.ucsd.edu/students/" />
<rule from="^http://mediaservices\.ucsd\.edu/(?:index\.s?html?)?$"
to="https://acms.ucsd.edu/services/media-services-support/index.html" />
</ruleset>
More information about the HTTPS-Everywhere-Rules
mailing list