After many years of jrock.us being served over HTTPS, I finally remembered to enable HTTP Strict Transport Security. There was never any reason not to – all traffic to any website or app at jrock.us goes through my reverse proxy, and it’s served with a wildcard *.jrock.us certficiate. If it doesn’t go through my reverse proxy, that’s a bug, and should be fixed. Several days after making this change, I closed my GMail tab, and typed mail.
Like many people, I use cert-manager to automatically renew my website’s TLS certificates with Let’s Encrypt. Unlike many people, I don’t use an Ingress controller to get traffic into my cluster, I just have a few instances of Envoy that terminate TLS and route traffic to the appropriate backend. Cert-manager handles the mechanics of certificate renewal very efficiently; it runs a controller loop that checks all my Certificate objects for expiration, and when a certificate is close to expiring, it goes out and renews it.