Text only | Text with Images

ElkArte Community

Project Support => Support => Topic started by: niloc on September 09, 2016, 05:44:16 am

Title: HTTPS for Elkarte?
Post by: niloc on September 09, 2016, 05:44:16 am
This article started me thinking:
https://techcrunch.com/2016/09/08/chrome-is-helping-kill-http/

Is HTTPS really needed for Elkarte? Are we encouraged to do it?
Also, if we do use it, does it affect the installation paths etc?

What do you guys think?
Title: Re: HTTPS for Elkarte?
Post by: meetdilip on September 09, 2016, 07:33:57 am
I guess, irrespective of your software, you should go for SSL. Because Google values it.
Title: Re: HTTPS for Elkarte?
Post by: Spuds on September 09, 2016, 07:39:14 am
If you are on your own hosting, where you can install a signed certificate, or your shared hosting provides one then there a few things to keep in mind / update.

First you really want a signed certificate, not a self signed one (the type you can easily create on your server). A self singed one I think will make the browser show a warning about the site may not be secure, which will turn people away (even though the connection is in fact more secure than without it).

You can use https://www.startssl.com or https://letsencrypt.org for "free" ssl certs, I prefer Lets Encrypt fwiw.

Once you have done that, you will need to set secure cookies in the ACP, then update your theme / site urls to use https in the ACP.  All site JS/CSS/Images etc need to be over https.

Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.

Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site.  Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain.

I'm sure there is more, but thats what comes to mind.  Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.
Title: Re: HTTPS for Elkarte?
Post by: emanuele on September 09, 2016, 03:05:35 pm
I wrote something similar to what Spuds said, but I forgot to post it and Spuds ninja'ed me. :P

Quote from: Spuds – I'm sure there is more, but thats what comes to mind.  Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.
That would be pretty nice I guess! :D

Quote from: meetdilip – I guess, irrespective of your software, you should go for SSL. Because Google values it.
Wrong answer.
You should not do things to please google, you should do things to please your users.

That said, yes, https is a thing that is likely a good thing (basically pointless if you don't have any private-ish interaction with your users (i.e. if you don't have login info).
I guess we have to think to (at some point) implement it here as well...

BTW:
QuoteThe warning will appear in the address bar of the browser and will call users’ attention to the fact that their personal information could be snooped or stolen.
Isn't it what IE does as well since... a long time?[1]
Yes, obviously the check "don't show this message again" is pressed as soon as the box appears the first time you use it, but that's another story. :P
Title: Re: HTTPS for Elkarte?
Post by: Adrek on September 09, 2016, 04:29:56 pm
There is one downside that I recently had to deal with.

If for some reason you'll decide to drop SSL - all urls to your site posted on other forums will be dead. Maybe there is some way to force Google to redirect them but I couldn't do it. Redirection in htaccess isn't going to work because it needs to have valid cert..

anyway it wasn't big deal for me because I used it only for tests :)
Title: Re: HTTPS for Elkarte?
Post by: kucing on September 09, 2016, 05:02:06 pm
be careful with HSTS, once it activated you can't go back to plain HTTP. I got bitten with this once and that's why I'm using HTTPS.
Title: Re: HTTPS for Elkarte?
Post by: niloc on September 09, 2016, 08:44:16 pm
Wow much info. Thanks guys! :) Will try it out......... some how.. :O from the guide Spuds gave..
Title: Re: HTTPS for Elkarte?
Post by: ahrasis on September 09, 2016, 11:10:45 pm
Wosign also have a free ssl up to two years and renewable too. You can find it here: https://www.wosign.com/english/freessl.htm
Currently, I am using Wosign (for site) and StartSSL (for server) and they are good.

I try to use Let'sEncrypt but failed miserably, may be because I tried to use from ISPConfig 3.1 (beta) Panel. Anyway, to note, Let'sEncrypt have to be renewed every 3 months or something, so you need to set a cron job to update it, every three months.

Further note will be, your site will also be prompted to SSL warning, especially in the page where you allowed user to have outside avatar or picture inside it. The only way to avoid this will be to upload all avatar and picture to your site, which will definitely cost you more spaces.[1]
I think I have another question for support now but I'll open a new feature thread for that.
Title: Re: HTTPS for Elkarte?
Post by: Spuds on September 10, 2016, 06:41:08 am
Good point on Lets Encrypt ... it does require more frequent certificate updates then others (cron job will work).  Really its a choice, SSL is better than nothing but its certainly not infallible, a number of exploits have exposed weakness.  Changing the certificate keys is a good practice for best security.  That said, for a forum you probably don't need that level.

External avatars .. indeed had not thought of those. Don't know if the proxy @emanuele worked on takes care of those as well.
Title: Re: HTTPS for Elkarte?
Post by: emanuele on September 10, 2016, 07:15:29 am
Good question, I don't remember either. xD

ETA: nope, it's just for the img BBC tag:
http://www.elkarte.net/community/index.php?topic=1791.0
Title: Re: HTTPS for Elkarte?
Post by: badmonkey on September 10, 2016, 01:27:49 pm
There are performance considerations attached as well.  Some claim it isn't so.  However, my experiences backed it up.  Theory says this or that, but the bottom line is there are more handshakes occuring.  And it involves handshakes outside your own hosting.  So.... connection establishment time triples off the bat.  Not that I know much about it at all.  It was noticeably slower to me.  Users noticed it as well.  It was especially noticeable on mobile devices. 

I returned my sites to non HTTPS without issue.
Title: Re: HTTPS for Elkarte?
Post by: Keiro on October 20, 2016, 02:57:18 am
I would NOT recommend WoSign or StartSSL. Why? sauce 1 (http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/) and sauce 2 (http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/).
Title: Re: HTTPS for Elkarte?
Post by: kucing on October 20, 2016, 07:30:19 am
yeah, now wosign is not accepting new certificate request for good reason. but the old one still functioning well. i'm using let's encrypt and cloudflare for most.

@Keiro , your second & third link in signature is incorrect, there is additional http in the url.
Title: Re: HTTPS for Elkarte?
Post by: Keiro on October 20, 2016, 08:29:36 am
Quote from: kucing – yeah, now wosign is not accepting new certificate request for good reason. but the old one still functioning well. i'm using let's encrypt and cloudflare for most.

@Keiro , your second & third link in signature is incorrect, there is additional http in the url.

Damn, I thought I'd gotten those. Fixed, thanks for the heads-up.

WoSign and StartSSL... yeah, they shouldn't be used any longer. If you're using them, I would suggest switching to Let's Encrypt ASAP.
Title: Re: HTTPS for Elkarte?
Post by: war59312 on November 13, 2016, 12:11:10 pm
Yes, all websites should be https.

Soon (relative) all (99.999999999%) browsers will drop (by default) support for http. ;)

First come the warnings though for a long time (relative, could be a few years or decades).

PS: Wonder why "Force cookies to be secure" is grayed out on new install. Odd. https is working fine.
Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 21, 2017, 10:30:51 am
Quote from: Spuds – If you are on your own hosting, where you can install a signed certificate, or your shared hosting provides one then there a few things to keep in mind / update.

First you really want a signed certificate, not a self signed one (the type you can easily create on your server). A self singed one I think will make the browser show a warning about the site may not be secure, which will turn people away (even though the connection is in fact more secure than without it).

You can use https://www.startssl.com or https://letsencrypt.org for "free" ssl certs, I prefer Lets Encrypt fwiw.

Once you have done that, you will need to set secure cookies in the ACP, then update your theme / site urls to use https in the ACP.  All site JS/CSS/Images etc need to be over https.

Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.

Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site.  Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain.

I'm sure there is more, but thats what comes to mind.  Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.


I got two warning emails from Google yesterday as shown below about my site not using https://

I have gotten the certs from Lets Encrypt but my site looks all funky I assume because I haven't yet updated my theme / site urls. I notice after getting the certs my site is still accessible via both http:// and https:// (the aforementioned funkiness display of https://). If I change my theme / site urls all to https:// as you have suggested I assume the funky display will then be on http:// url's of which Google has many so anyone directed there via the old http:// url's will see the funky display. If I get the site to display properly with https:// would it be as simple as creating a redirect in my hosting to redirect http://www.mydomain.com to https://www.mydomain.com?
Title: Re: HTTPS for Elkarte?
Post by: Spuds on January 21, 2017, 10:52:25 am
Quote. If I get the site to display properly with https:// would it be as simple as creating a redirect in my hosting to redirect http://www.mydomain.com to https://www.mydomain.com?
It should be that simple yes.  If you are using apache it should be along the lines of adding the following to your .htaccess
Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Title: Re: HTTPS for Elkarte?
Post by: Spuds on January 21, 2017, 10:55:57 am
I see that apache (http://httpd.apache.org/docs/current/rewrite/avoid.html#redirect) now recommends doing it this way instead of the redirect if you have access (which you should)
QuoteIn the case of the http-to-https redirection, the use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead.
Code: [Select]
<VirtualHost *:80>
    ServerName www.example.com
    Redirect "/" "https://www.example.com/"
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>

Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 21, 2017, 11:30:41 am
Quote from: Spuds – Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.

Would you happen to know the easy way to do this? I assume that would by some type of SQL query but I am not a database person.
Title: Re: HTTPS for Elkarte?
Post by: Spuds on January 21, 2017, 01:26:08 pm
I'll start with  ....... be sure to backup your database before you do this,  You can’t say I didn’t tell you.  ;)

After you have all your settings correct, avatars, attachments, theme, directories etc etc .. updated.  You can check with the repair settings tool as well. Some things you can not search and replace as they are stored in serialized arrays, and if you change them they will break.  So thats why you need to get the site running proper first.

Run the empty unimportant logs function from maintenance.

Now updating ..  this is not necessarily how I would do things, but it should fix most of the headaches with the change over.  Assuming you have phpmyadmin or adminer then open the db and run each of the following (obviously use your site name and assuming your tables are prefixed with elkarte).  Not tested of course but should work.
Code: [Select]
UPDATE [icode]elkarte_messages[/icode] SET [icode]body[/icode] = replace(body, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_personal_messages[/icode] SET [icode]body[/icode] = replace(body, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_user_drafts[/icode] SET [icode]body[/icode] = replace(body, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_members[/icode] SET [icode]website_url[/icode] = replace(website_url, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_members[/icode] SET [icode]signature[/icode] = replace(signature, "http://www.yoursite.com", "https://www.yoursite.com")

There maybe some other areas to target, but that should be the bulk of the trouble. I'm not sure what to do about the sessions table, I'd probably just empty it so things start off fresh.

Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 21, 2017, 03:12:54 pm
Thanks for your help Spuds. I've got that all done now (except what you said about the sessions table) but still getting the unsecure warning. I have a feeling it has to do with what you said here: "Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site.  Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain."

If I install the addon that emanuele posted (Image caching v0.1.0) here (http://www.elkarte.net/community/index.php?topic=1791.0) will it cache the images that have been posted previously or will it only cache the ones posted after installing the addon?
Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 21, 2017, 03:14:37 pm
Oh and is there a downside or any danger if I empty the sessions table? There are 62 pages of rows listed in phpMyAdmin on the sessions table.
Title: Re: HTTPS for Elkarte?
Post by: Spuds on January 21, 2017, 04:19:08 pm
I just went to your site, looks like you are almost there  :)

Going to the login page gives me the secure site icon so thats all set.

Going to the main page there are (2) Mixed Content errors :
Code: [Select]
http://media.giphy.com/media/a69VzlsvTZxq8/giphy.gif and
http://i220.photobucket.com/albums/dd148/davidma_01/monkey_pirate_by_zaratus_zpszdt7kosg.jpg
Which I suspect are external avatars.  You should be able to go to those users profiles and change the links to https as both of those sites support that AFAIK

I think all that would happen with sessions is that members who were logged in "forever or some length of time" would be logged out on their next visit and have to log back in.  @emanuele may be able to provide some thoughts here as well.
Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 21, 2017, 04:35:57 pm
Thanks. I changed both of those to https but the photobucket one keeps using http so I uploaded it to my site and assigned it from there. I still get the insecure warning on the front page though. How did you find the mixed content errors?

Edit: Found another external http avatar and now the front page shows as secure. Is there a way to force people to only use https external avatars or would I just have to turn off the use of external avatars altogether?
Title: Re: HTTPS for Elkarte?
Post by: Spuds on January 21, 2017, 05:54:00 pm
The easiest thing to do, would be to enable the "Download avatar at given URL" under your External avatars area.   Then when someone enters a url to an external avatar, the site will download it and serve (https) it just as if someone uploaded it.

Looking at the code a bit I think we need to make a few adjustments for 0.10 so avatars are more respectful of an https only site.
Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 22, 2017, 12:03:56 am
Another issue is in signatures. Setting the amount of images allowed to zero = no limit on the amount of images. I can see no way to disallow images in signatures. Other than to disable signatures.
Title: Re: HTTPS for Elkarte?
Post by: emanuele on January 22, 2017, 08:09:37 am
You should be able to disable the "img" tag in signature, no?
In "Enabled BBC tags " you remove the tick from img.
Title: Re: HTTPS for Elkarte?
Post by: b4pjoe on January 22, 2017, 10:46:39 am
Oh...missed that setting. I guess I can disable images in sigs.

It seems there is not a good option on how to make a forum be a fully secure website without disallowing users to not be able to use images in sigs, have external avatars, or allow images in posts from external sources. Even having the images copied to your own server, while it would work, will eat up a lot of disk space over time.

emanuele, I tried installing your Images cache add-on but afterwards I could not get images from a secure site like Img Safe (https://imgsafe.org) to show up on my site. Removed the add-on and the images display fine. Also when the add-on was installed I could not display images from any subfolder in my site. For example I created a folder named misc_images and when I tried to link to an image in that folder it would not display. Once again, uninstalled the add-on and images work from that folder.
Title: Re: HTTPS for Elkarte?
Post by: emanuele on January 22, 2017, 10:58:36 am
Interesting, I guess I screwed something in the addon... If I have time I'll check it. :)
Title: Re: HTTPS for Elkarte?
Post by: Spuds on January 22, 2017, 12:35:53 pm
If you have time look at the work I did for 1.1, I think those should be back ported to the 1.0 addon  O:-)
Title: Re: HTTPS for Elkarte?
Post by: Jorin on January 23, 2017, 12:54:49 am
Quote from: emanuele – You should be able to disable the "img" tag in signature, no?
In "Enabled BBC tags " you remove the tick from img.

Would that not disallow the IMG tag on the whole forum?
Title: Re: HTTPS for Elkarte?
Post by: radu81 on January 23, 2017, 02:45:01 am
You need to go into Admin > Configuration > Features and Options > Signatures and there you have the possibility to disable the bbcodes for signatures
Title: Re: HTTPS for Elkarte?
Post by: Jorin on January 23, 2017, 04:13:13 am
Thanks!
Title: Re: HTTPS for Elkarte?
Post by: gevv on November 25, 2018, 07:03:21 am
Hello to everyone,

all settings done my forum http to https 

only problem  top menu avatar url not https

i checked them all avatar sentting, themes, mysql etc

I could not solve the problem

page source view;
Code: [Select]
<style>
	
		
	.i-account:before {
		content: "";
		background-image: url("http://mysite.com/index.php?action=dlattach;attach=9906;type=avatar");
	}
		
		.avatarresize {
			max-width:150px;
			max-height:150px;
		}
		
		.wrapper {width: 95%;}
	</style>
Title: Re: HTTPS for Elkarte?
Post by: Spuds on November 25, 2018, 08:32:57 am
That looks like it would be a user who added an avatar with "Specify avatar by URL"  under forum profile.   You would have to edit that users entry.

In Admin -> Avatar Settings  ...  External avatars,  you allow external links for avatars and have checked the download avatar at given URL.  If you had this set this way before the change to https, then the system would have downloaded the avatar and saved it under the old http scheme in the users profile.
Title: Re: HTTPS for Elkarte?
Post by: radu81 on November 25, 2018, 10:14:11 am
I agree with Spuds, I had the same problem and I corrected manually all avatars. The easyest way to find those avatars is to use the memberlist, if one avatar is loading from http you will not see the green locket in your browser.
Title: Re: HTTPS for Elkarte?
Post by: gevv on November 25, 2018, 10:21:12 am
I always use the same setting;

Upload and resize (requires GD or ImageMagick module), Download avatar at given URL



all user avatars on the my server.

profile page  view avatar url

Code: [Select]
https://mysite.com/index.php?action=dlattach;attach=9906;type=avatar&time=1543156830

top menu avatar url  (CSS class)

Code: [Select]
http://mysite.com/index.php?action=dlattach;attach=9906;type=avatar


edit:  delete and reupload the avatar  the problem continues
Title: Re: HTTPS for Elkarte?
Post by: gevv on November 25, 2018, 12:10:51 pm
a strange problem

admin/ server settings/ board url "https:"  ok.

Settings.php   board url "http"

edit Settings.php  problem solved 

thanks everyone
Text only | Text with Images