Allow safe files on certain subdomains

[dfabulich]

Fixes #61

In #62, I wrote a PR to allow safe files on all subdomains, but @erkyrath pointed out the problem with that:

Safe files are redirected to the main domain because the main domain is CDNified (Cloudflare). The effect of this change is to move all the server load of media files -- the big ones -- from Cloudflare to Unbox.

Here, I've taken a different approach. Don't allow safe files on all subdomains, but just on a set of allow-listed subdomains (currently, just the only game that's triggering #61, but, in the future, we could add more.)

Every time we hit a bug like #61, we'd manually add the subdomain to the allow list. And then, we'd go to the Cloudflare admin tool and explicitly enable Cloudflare proxying for that subdomain.

I'm not anticipating that there would be very many of these. (We've only encountered one so far… I'd be surprised if we needed to do more than one a year for the next 10+ years.)

If we don't implement it this way, there is a one-line workaround possible by modifying the game code, described here: #61 (comment)

[dfabulich]

Unbox is now the only way to play Quest for the Teacup of Minor Sentimental Value online. I propose that we merge this PR.

[erkyrath]

I guess this is a good idea.

Except, the file got renamed. It is now /if-archive/games/competition2024/Games/Quest_for_the_Teacup_of_Minor_Sentimental_Value.zip with hash 2k788xeots.

(See https://ifarchive.org/indexes/if-archive/games/competition2024/ .)

I have added the DNS records for that subdomain with Cloudflare proxying on:

2k788xeots.unbox.ifarchive.org.	1	IN	A	45.79.186.4
2k788xeots.unbox.ifarchive.org.	1	IN	AAAA	2600:3c03::f03c:92ff:feb5:ca97

We can deploy this change to unbox (with the corrected hash). I suppose then we'll need to clear a bunch of Cloudflare cache entries, because the media files will have been cached as redirects by the time the unbox change goes live.

[dfabulich]

I've updated my PR to use the new subdomain. But note that the Cloudflare settings that @erkyrath added seems to have broken the page.

https://unbox.ifarchive.org/?url=/if-archive/games/competition2024/Games/Quest_for_the_Teacup_of_Minor_Sentimental_Value.zip

If you click the “Open www/index.html” button, it will take you to https://2k788xeots.unbox.ifarchive.org/2k788xeots/www/index.html? which displays an error for me in Chrome and Safari.

This site can’t provide a secure connection
2k788xeots.unbox.ifarchive.org uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

% curl -v https://2k788xeots.unbox.ifarchive.org/2k788xeots/www/index.html
* Host 2k788xeots.unbox.ifarchive.org:443 was resolved.
* IPv6: (none)
* IPv4: 104.26.15.138, 104.26.14.138, 172.67.71.177
*   Trying 104.26.15.138:443...
* Connected to 2k788xeots.unbox.ifarchive.org (104.26.15.138) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

[dfabulich]

@erkyrath explained:

Yeah, it can't work until the unbox change is deployed
But it didn't work before, so I figured I'd do it

So, uh, let's deploy this!

[curiousdannii]

The nginx cache will likely also need to be cleared.

[dfabulich]

Sounds like we should merge #65, too!

[dfabulich]

Damon posted on intfiction asking about this. https://intfiction.org/t/issue-with-ifcomp-game-on-ifdb-lf-archive/72317 Can we deploy this?