MaxMind DB must be HTTPS starting October

[vgstudios]

Dear MaxMind customer,

We’re writing because, between July 15 and August 14, we saw GeoIP download requests from your account that are not being sent with HTTPS (see details below). To improve our server infrastructure and allow for better performance and efficiency, MaxMind will begin requiring HTTPS for GeoIP download requests in March 2024. To help customers get ready for this change, we will have a planned, temporary enforcement of this policy on October 17, 2023.



What is the policy?

MaxMind will only accept GeoIP download requests sent with the more secure HTTPS protocol.



What do I need to do?

To ensure that you can continue to download GeoIP databases, please make the change(s) listed below prior to October 17, 2023. The policies will be permanently enforced in March 2024:



You sent 14 GeoIP database download queries to the endpoint http://download.maxmind.com/app/geoip_download. Note that these queries were sent without using the more secure HTTPS protocol. Update your integration to send these GeoIP database download queries to https://download.maxmind.com/app/geoip_download. Note that you should be using the more secure HTTPS protocol.









What if I need more help?

If you need more help or have additional questions, please contact us at support at maxmind.com.





What’s next?
We’ll send another email next month with updated information about requests we are seeing from your account, and a third email before the planned interruption. If we don’t see any GeoIP download requests that violate our policies, we’ll send you an email to let you know.



Thanks for your attention.



Sincerely,
The Team at MaxMind

Just wanted to bring this email I got from MaxMind to your attention. Sorry.

[babenito]

I got this email too.
I only use Maxmind for CSF, so I guess this is something that needs to be fixed by the CSF team, right?

[awebsite4u]

Me too.

As a temporary fix I changed http:// to https:// on lines 336 to 338 in /usr/local/csf/lib/ConfigServer/Config.pm and restarted both CSF and LFD.

Here's hoping a permanent change will be made by the CSF team.

[ForumAdmin]

As a temporary fix I changed http:// to https:// on lines 336 to 338 in /usr/local/csf/lib/ConfigServer/Config.pm and restarted both CSF and LFD.

We will release a new version that makes this same change in due course.

[Kent Brockman]

Very thanks. I will pin this topic to know when this is patched. Regards.

[marcele]

MaxMind will require https:// for all database downloads. Currently CSF uses unsecure http:// in Config.pm

Email sent from MaxMind:

Code: Select all

Dear MaxMind customer,

We’re writing because, between July 15 and August 14, we saw GeoIP download requests from your account that are not being sent with HTTPS (see details below). To improve our server infrastructure and allow for better performance and efficiency, MaxMind will begin requiring HTTPS for GeoIP download requests in March 2024. To help customers get ready for this change, we will have a planned, temporary enforcement of this policy on October 17, 2023.

What is the policy?

MaxMind will only accept GeoIP download requests sent with the more secure HTTPS protocol.

What do I need to do?
To ensure that you can continue to download GeoIP databases, please make the change(s) listed below prior to October 17, 2023. The policies will be permanently enforced in March 2024:

You sent 11 GeoIP database download queries to the endpoint http://download.maxmind.com/app/geoip_download. Note that these queries were sent without using the more secure HTTPS protocol. Update your integration to send these GeoIP database download queries to https://download.maxmind.com/app/geoip_download. Note that you should be using the more secure HTTPS protocol.

What’s next?
We won't be able to immediately confirm that the changes you have made are working. We’ll send another email next month with updated information about requests we are seeing from your account, and a third email before the planned interruption. If we don’t see any GeoIP download requests that violate our policies, we’ll send you an email to let you know that things look good on our end.

What if I need more help?
If you need more help or have additional questions, please contact us at support@maxmind.com.

Thanks for your attention.

Sincerely,
The Team at MaxMind

[alexf]

It also appears that in addition to the /usr/local/csf/lib/ConfigServer/Config.pm changes from http:// to https://; you will need to update your csf.blocklists file in the same way for the MaxMind entry.

[soldier_aci]

As a temporary fix I changed http:// to https:// on lines 336 to 338 in /usr/local/csf/lib/ConfigServer/Config.pm and restarted both CSF and LFD.

Thanks for running that down. I have made the change as well.

[attention]

I received this email today. It is a result of CSF still using http. Personally, I do not mind to use http, I believe https is not needed for retrieving a database with semi publicly info, but Maxmind is forcing us to do so.

Hi,
We’re still seeing outdated API requests from your account (ID nnnnnn) that are using an incorrect endpoint.
Going forward, we will only accept:
• API requests sent with the more secure HTTPS protocol.
• API requests sent to the appropriate hostname.
Click the links below to view a list of valid API hostnames for each service.
• minFraud web services
• GeoIP web services
• GeoIP and GeoLite database downloads

If you have questions or need help, just reply to this email.

P.S. We’re setting up a temporary enforcement of the new policies on October 17, 2023 between 14:00 and 15:00 UTC. If you make the required updates before that date, you’re good to go. If you’re not able to make the changes, you might experience a period where web service or database download requests fail.

When will this be build in? Before October 17?

[Sarah]

https://blog.configserver.com/?p=4022

Regards,
Sarah