Hi All,

I started doing something about the outdated kylheku.com server,
running an old Debian version that is basically not upgradable,
preventing the use of newer TLS ciphers that modern browsers are
starting to require, and the issuance of a SSL certificate signed
by an authority like letsencrypt.  One problem on the old server
is that the /client/ side software, like curl, is outdated.
You can't do basic things like clone someone's git repo, or
fetch a shell script over https; nothing wants to talk to you.
Running even the simplest available script for maintaining a SSL
certificate, like bacme, turned out to be intractable.

There is now a new transitional server (running as a VirtualBox
VM for now). Ports 80 and 443 now go to this server.

So far, I migrated all the git repositories to it, as well as cgit,
with all the custom syntax highlighting. Those are things important
to TXR users.

The server has a new SSL certificate from letsencrypt, maintained
by certbot, with up-to-date TLS cipher support. So you no longer
have to accept the self-signed certificate or do anything else
in your browser, like allow old TLS ciphers.

For the rest of the site, I'm using Apache's reverse proxying
to redirect to the old server. This is nice because
it allows for a gradual migration of various pages/features one by one.
(There is quite a bit of cruft, not connected to this project,
and not all of it web.)

Because a reverse proxy terminates incoming HTTPS connections
(for obvious reasons), the proxied parts of the website appear
to be using modern SSL, using the letsencrypt cert.

I'm doing everything carefully with git. All my config changes
to /etc and /usr/share and whatnot are in a master branch;
which tracks a branch called debian that has the clean distro.
That will let me upgrade the distro by switching to that branch (so all
custom configuration disappears), upgrading, committing the
new distro materials, and then rebasing my configuration master
branch over that.

Cheers ...