Skip to main content
Topic: HTTPS for Elkarte?  (Read 8152 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: HTTPS for Elkarte?

Reply #15

Quote from: Spuds – If you are on your own hosting, where you can install a signed certificate, or your shared hosting provides one then there a few things to keep in mind / update.

First you really want a signed certificate, not a self signed one (the type you can easily create on your server). A self singed one I think will make the browser show a warning about the site may not be secure, which will turn people away (even though the connection is in fact more secure than without it).

You can use https://www.startssl.com or https://letsencrypt.org for "free" ssl certs, I prefer Lets Encrypt fwiw.

Once you have done that, you will need to set secure cookies in the ACP, then update your theme / site urls to use https in the ACP.  All site JS/CSS/Images etc need to be over https.

Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.

Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site.  Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain.

I'm sure there is more, but thats what comes to mind.  Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.


I got two warning emails from Google yesterday as shown below about my site not using https://

I have gotten the certs from Lets Encrypt but my site looks all funky I assume because I haven't yet updated my theme / site urls. I notice after getting the certs my site is still accessible via both http:// and https:// (the aforementioned funkiness display of https://). If I change my theme / site urls all to https:// as you have suggested I assume the funky display will then be on http:// url's of which Google has many so anyone directed there via the old http:// url's will see the funky display. If I get the site to display properly with https:// would it be as simple as creating a redirect in my hosting to redirect http://www.mydomain.com to https://www.mydomain.com?

Re: HTTPS for Elkarte?

Reply #16

Quote. If I get the site to display properly with https:// would it be as simple as creating a redirect in my hosting to redirect http://www.mydomain.com to https://www.mydomain.com?
It should be that simple yes.  If you are using apache it should be along the lines of adding the following to your .htaccess
Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Re: HTTPS for Elkarte?

Reply #17

I see that apache now recommends doing it this way instead of the redirect if you have access (which you should)
QuoteIn the case of the http-to-https redirection, the use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead.
Code: [Select]
<VirtualHost *:80>
    ServerName www.example.com
    Redirect "/" "https://www.example.com/"
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>


Re: HTTPS for Elkarte?

Reply #18

Quote from: Spuds – Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.

Would you happen to know the easy way to do this? I assume that would by some type of SQL query but I am not a database person.

Re: HTTPS for Elkarte?

Reply #19

I'll start with  ....... be sure to backup your database before you do this,  You can’t say I didn’t tell you.  ;)

After you have all your settings correct, avatars, attachments, theme, directories etc etc .. updated.  You can check with the repair settings tool as well. Some things you can not search and replace as they are stored in serialized arrays, and if you change them they will break.  So thats why you need to get the site running proper first.

Run the empty unimportant logs function from maintenance.

Now updating ..  this is not necessarily how I would do things, but it should fix most of the headaches with the change over.  Assuming you have phpmyadmin or adminer then open the db and run each of the following (obviously use your site name and assuming your tables are prefixed with elkarte).  Not tested of course but should work.
Code: [Select]
UPDATE [icode]elkarte_messages[/icode] SET [icode]body[/icode] = replace(body, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_personal_messages[/icode] SET [icode]body[/icode] = replace(body, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_user_drafts[/icode] SET [icode]body[/icode] = replace(body, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_members[/icode] SET [icode]website_url[/icode] = replace(website_url, "http://www.yoursite.com", "https://www.yoursite.com")

UPDATE [icode]elkarte_members[/icode] SET [icode]signature[/icode] = replace(signature, "http://www.yoursite.com", "https://www.yoursite.com")

There maybe some other areas to target, but that should be the bulk of the trouble. I'm not sure what to do about the sessions table, I'd probably just empty it so things start off fresh.


Re: HTTPS for Elkarte?

Reply #20

Thanks for your help Spuds. I've got that all done now (except what you said about the sessions table) but still getting the unsecure warning. I have a feeling it has to do with what you said here: "Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site.  Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain."

If I install the addon that emanuele posted (Image caching v0.1.0) here will it cache the images that have been posted previously or will it only cache the ones posted after installing the addon?

Re: HTTPS for Elkarte?

Reply #21

Oh and is there a downside or any danger if I empty the sessions table? There are 62 pages of rows listed in phpMyAdmin on the sessions table.

Re: HTTPS for Elkarte?

Reply #22

I just went to your site, looks like you are almost there  :)

Going to the login page gives me the secure site icon so thats all set.

Going to the main page there are (2) Mixed Content errors :
Code: [Select]
http://media.giphy.com/media/a69VzlsvTZxq8/giphy.gif and
http://i220.photobucket.com/albums/dd148/davidma_01/monkey_pirate_by_zaratus_zpszdt7kosg.jpg
Which I suspect are external avatars.  You should be able to go to those users profiles and change the links to https as both of those sites support that AFAIK

I think all that would happen with sessions is that members who were logged in "forever or some length of time" would be logged out on their next visit and have to log back in.  @emanuele may be able to provide some thoughts here as well.

Re: HTTPS for Elkarte?

Reply #23

Thanks. I changed both of those to https but the photobucket one keeps using http so I uploaded it to my site and assigned it from there. I still get the insecure warning on the front page though. How did you find the mixed content errors?

Edit: Found another external http avatar and now the front page shows as secure. Is there a way to force people to only use https external avatars or would I just have to turn off the use of external avatars altogether?
Last Edit: January 21, 2017, 04:46:41 pm by b4pjoe

Re: HTTPS for Elkarte?

Reply #24

The easiest thing to do, would be to enable the "Download avatar at given URL" under your External avatars area.   Then when someone enters a url to an external avatar, the site will download it and serve (https) it just as if someone uploaded it.

Looking at the code a bit I think we need to make a few adjustments for 0.10 so avatars are more respectful of an https only site.

Re: HTTPS for Elkarte?

Reply #25

Another issue is in signatures. Setting the amount of images allowed to zero = no limit on the amount of images. I can see no way to disallow images in signatures. Other than to disable signatures.

Re: HTTPS for Elkarte?

Reply #26

You should be able to disable the "img" tag in signature, no?
In "Enabled BBC tags " you remove the tick from img.
Bugs creator.
Features destroyer.
Template killer.

Re: HTTPS for Elkarte?

Reply #27

Oh...missed that setting. I guess I can disable images in sigs.

It seems there is not a good option on how to make a forum be a fully secure website without disallowing users to not be able to use images in sigs, have external avatars, or allow images in posts from external sources. Even having the images copied to your own server, while it would work, will eat up a lot of disk space over time.

emanuele, I tried installing your Images cache add-on but afterwards I could not get images from a secure site like Img Safe to show up on my site. Removed the add-on and the images display fine. Also when the add-on was installed I could not display images from any subfolder in my site. For example I created a folder named misc_images and when I tried to link to an image in that folder it would not display. Once again, uninstalled the add-on and images work from that folder.

Re: HTTPS for Elkarte?

Reply #28

Interesting, I guess I screwed something in the addon... If I have time I'll check it. :)
Bugs creator.
Features destroyer.
Template killer.

Re: HTTPS for Elkarte?

Reply #29

If you have time look at the work I did for 1.1, I think those should be back ported to the 1.0 addon  O:-)