Author Topic: HTTPS access with Let's Encrypt?  (Read 875 times)

0 Members and 1 Guest are viewing this topic.

Offline jg18

  • A very happy zod
  • 210
  • can do more than spellcheck
HTTPS access with Let's Encrypt?
I was wondering about the feasibility of having HTTPS as an option (or maybe even requirement?) for accessing the HLP forums and possibly also wiki, maybe even the entire site.

With free digital certificates from Let's Encrypt that are trusted by all major browsers and can be set up to auto-renew as needed (they expire after 90 days), it seems like HTTPS support might be doable.

As for why do it in the first place, I figure that securing Web traffic is generallly A Good Thing, and it ensuress that the content of private boards stays private.

I suppose that using HTTPS could be an option rather than a requirement, although maybe allowing for unencrypted HTTP as an option defeats the purpose of supporting HTTPS?

Speaking of which, is authentication for the forums secure? Is wiki authentication secure?

What say The HLP Powers That Be? And what do other forum users think?

Thanks in advance for your consideration.

EDIT: It looks like the site is accessible through HTTPS, however Firefox gives me a warning that not all content is securely transmitted, and clicking on a link seems to take you back to regular HTTP. Also the forums don't appear correctly when using HTTPS (try it to see what I mean).
wxLauncher 0.12.0 RC2/RC3 now available! Toggle FRED launching with F3! | wxLauncher 2.0 Request for Comments
Hey mod authors! Did you know you can customize wxL's recommended lighting preset through your mod.ini? Check it out!

 

Offline niffiwan

  • 211
  • Eluder Class
Re: HTTPS access with Let's Encrypt?
https on everything hard-light.net gets my vote
Creating a fs2_open.log | Red Alert Bug = Hex Edit | MediaVPs 2014: Bigger HUD gauges | 32bit libs for 64bit Ubuntu
----
Linux OBS Packages: FSO 3.7.0 | FSO BP Build | wxLauncher (?) | PCS2 (?) | wxVPView (?)
Debian Packages (testing/unstable): Freespace2 | wxLauncher
----
m|m: I think I'm suffering from Stockholm syndrome. Bmpman is starting to make sense and it's actually written reasonably well...

 
Re: HTTPS access with Let's Encrypt?
For what it's worth, I'd like it too.
There are only 10 kinds of people in the world;
those who understand binary and those who don't.

 

Offline jg18

  • A very happy zod
  • 210
  • can do more than spellcheck
Re: HTTPS access with Let's Encrypt?
Does anyone else think switching to HTTPS for HLP would be A Good Thing? Would especially appreciate thoughts from an admin.
wxLauncher 0.12.0 RC2/RC3 now available! Toggle FRED launching with F3! | wxLauncher 2.0 Request for Comments
Hey mod authors! Did you know you can customize wxL's recommended lighting preset through your mod.ini? Check it out!

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: HTTPS access with Let's Encrypt?
Does anyone else think switching to HTTPS for HLP would be A Good Thing? Would especially appreciate thoughts from an admin.
It certainty wouldn't hurt.

It should be doable with the new build that is in progress, but the account 'owner' will need to be determined.  But the bug is in the ear, and once we get closer to going live, we will look at implementing it.
--
POSIX is fine, as is Rev or RP.  EMail, PM or leaving me an IM on ICQ, even if I'm not showing up as online. is the best way to get ahold of me.

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."

 

Offline jg18

  • A very happy zod
  • 210
  • can do more than spellcheck
Re: HTTPS access with Let's Encrypt?
Thanks, RP. :)
wxLauncher 0.12.0 RC2/RC3 now available! Toggle FRED launching with F3! | wxLauncher 2.0 Request for Comments
Hey mod authors! Did you know you can customize wxL's recommended lighting preset through your mod.ini? Check it out!

 

Offline MP-Ryan

  • Makes General Discussion Make Sense.
  • Global Moderator
  • 210
  • Keyboard > Pen > Sword
    • Twitter
Re: HTTPS access with Let's Encrypt?
https on everything hard-light.net gets my vote

Concur.
"In the beginning, the Universe was created.  This made a lot of people very angry and has widely been regarded as a bad move."  [Douglas Adams]

 

Offline chief1983

  • Still lacks a custom title
  • 212
  • ⬇️⬆️⬅️⬅️À➡️⬇️
    • Minecraft
    • Skype
    • Steam
    • Twitter
    • Fate of the Galaxy
Re: HTTPS access with Let's Encrypt?
I didn't even notice a new HTTPS thread, I'd brought it up in Site Feedback (maybe that's restricted access?) two years ago http://www.hard-light.net/forums/index.php?topic=90192.0

Still has my support, along with a new build that has a PHP with SHA-256 support :)
Fate of the Galaxy - Now Hiring!  Apply within | Diaspora | SCP Home | Collada Importer for PCS2
Karajorma's 'How to report bugs' | Mantis
#freespace | #scp-swc | #diaspora | #SCP | #hard-light on EsperNet

"You may not sell or otherwise commercially exploit the source or things you created based on the source." -- Excerpt from FSO license, for reference

Nuclear1:  Jesus Christ zack you're a little too hamyurger for HLP right now...
iamzack:  i dont have hamynerge i just want ptatoc hips D:
redsniper:  Platonic hips?!
iamzack:  lays

 

Offline AdmiralRalwood

  • 211
  • The Cthulhu programmer himself!
    • Skype
    • Steam
    • Twitter
Re: HTTPS access with Let's Encrypt?
I'd brought it up in Site Feedback (maybe that's restricted access?)
Apparently so, since I can't access your link.
Ph'nglui mglw'nafh Codethulhu GitHub wgah'nagl fhtagn.

schrödinbug (noun) - a bug that manifests itself in running software after a programmer notices that the code should never have worked in the first place.

When you gaze long into BMPMAN, BMPMAN also gazes into you.

"I am one of the best FREDders on Earth" -General Battuta

<Aesaar> literary criticism is vladimir putin

<MageKing17> "There's probably a reason the code is the way it is" is a very dangerous line of thought. :P
<MageKing17> Because the "reason" often turns out to be "nobody noticed it was wrong".
(the very next day)
<MageKing17> this ****ing code did it to me again
<MageKing17> "That doesn't really make sense to me, but I'll assume it was being done for a reason."
<MageKing17> **** ME
<MageKing17> THE REASON IS PEOPLE ARE STUPID
<MageKing17> ESPECIALLY ME

<MageKing17> God damn, I do not understand how this is breaking.
<MageKing17> Everything points to "this should work fine", and yet it's clearly not working.
<MjnMixael> 2 hours later... "God damn, how did this ever work at all?!"
(...)
<MageKing17> so
<MageKing17> more than two hours
<MageKing17> but once again we have reached the inevitable conclusion
<MageKing17> How did this code ever work in the first place!?

<@The_E> Welcome to OpenGL, where standards compliance is optional, and error reporting inconsistent

<MageKing17> It was all working perfectly until I actually tried it on an actual mission.

<IronWorks> I am useful for FSO stuff again. This is a red-letter day!
* z64555 erases "Thursday" and rewrites it in red ink

<MageKing17> TIL the entire homing code is held up by shoestrings and duct tape, basically.

 

Offline jg18

  • A very happy zod
  • 210
  • can do more than spellcheck
Re: HTTPS access with Let's Encrypt?
:bump:

Now that the server move has taken place and the forums are more or less back to normal, perhaps this can be looked into again? :)
wxLauncher 0.12.0 RC2/RC3 now available! Toggle FRED launching with F3! | wxLauncher 2.0 Request for Comments
Hey mod authors! Did you know you can customize wxL's recommended lighting preset through your mod.ini? Check it out!

  

Offline Goober5000

  • HLP Loremaster
  • Administrator
  • 214
    • Goober5000 Productions
Re: HTTPS access with Let's Encrypt?
That's the plan.  I've been bugging rev_posix about it since the 7th.

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: HTTPS access with Let's Encrypt?
That's the plan.  I've been bugging rev_posix about it since the 7th.
Yes, yes you have.  :P

I'm looking into it as I can.  It's not quite a simple 'get this file and go' thing, there is a small amount of back end work that needs to be done.

*EDIT*:  Ok, the cert is requested and in place.  Most of the work appears to be automated by the current admin UI we are using now.

However, going to the site with https breaks the CSS (it doesn't show up), don't know if it's a browser thing or server.  Feel free to look around yourself goob and see if you can spot the issue since you and sammich recently spent a lot of time fixing the theme, you two might be able to figure it out before I can. :)
« Last Edit: November 23, 2017, 07:53:12 am by rev_posix »
--
POSIX is fine, as is Rev or RP.  EMail, PM or leaving me an IM on ICQ, even if I'm not showing up as online. is the best way to get ahold of me.

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."

 

Offline ngld

  • 28
Re: HTTPS access with Let's Encrypt?
The problem isn't directly related to CSS. It's more of a general link problem. The forum uses http:// for all its links. Once you change that to https:// it should work.  (The browser refuses to load the CSS files over http:// if you're accessing the site with https:// because that'd be insecure which is why it doesn't show up).

EDIT: I'm not sure if the Let's Encrypt certificate is used since the traffic goes through CloudFlare. I can only see their certificate on my side. Can an admin please check if the connection between CloudFlare and the HLP server is also encrypted?

 

Offline chief1983

  • Still lacks a custom title
  • 212
  • ⬇️⬆️⬅️⬅️À➡️⬇️
    • Minecraft
    • Skype
    • Steam
    • Twitter
    • Fate of the Galaxy
Re: HTTPS access with Let's Encrypt?
Get rid of the http altogether, just have //www.hard-light.net/blah.css.  The browser will use whatever protocol the initial page loaded with to load the resources.  This will allow toggling between http and https at any time without modification, and would make enabling forced https later easier.
Fate of the Galaxy - Now Hiring!  Apply within | Diaspora | SCP Home | Collada Importer for PCS2
Karajorma's 'How to report bugs' | Mantis
#freespace | #scp-swc | #diaspora | #SCP | #hard-light on EsperNet

"You may not sell or otherwise commercially exploit the source or things you created based on the source." -- Excerpt from FSO license, for reference

Nuclear1:  Jesus Christ zack you're a little too hamyurger for HLP right now...
iamzack:  i dont have hamynerge i just want ptatoc hips D:
redsniper:  Platonic hips?!
iamzack:  lays

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: HTTPS access with Let's Encrypt?
The problem isn't directly related to CSS. It's more of a general link problem. The forum uses http:// for all its links. Once you change that to https:// it should work.  (The browser refuses to load the CSS files over http:// if you're accessing the site with https:// because that'd be insecure which is why it doesn't show up).
That's more or less what I was thinking now that it's not 'way early been up too long' AM for me.  :P

However, it's not a simple rewrite rule change as the usual rewrite or redirect rules cause some kind of loop and my browsers won't load the page with it turned on.

EDIT: I'm not sure if the Let's Encrypt certificate is used since the traffic goes through CloudFlare. I can only see their certificate on my side. Can an admin please check if the connection between CloudFlare and the HLP server is also encrypted?
It is, but it wasn't set to automagically rewrite/force any and all calls to the web site to be redone as https (which I just turned on).

While it does work, I'm not crazy about it as I feel it would be better to have the cert presented be the letsencrypt one we have for the domain vs relying on CF for it, but this will work for now...  which thinking about it, the redirect weirdness I was seeing may be because of CF and it's SSL settings for the proxy...  Will have to experiment on this later.
--
POSIX is fine, as is Rev or RP.  EMail, PM or leaving me an IM on ICQ, even if I'm not showing up as online. is the best way to get ahold of me.

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."

 

Offline ngld

  • 28
Re: HTTPS access with Let's Encrypt?
However, it's not a simple rewrite rule change as the usual rewrite or redirect rules cause some kind of loop and my browsers won't load the page with it turned on.
Rewrite rules don't change the server generated HTML which is why it didn't work. The correct solution would be to edit the forum settings or fix whatever was causing the forum to miss that the browser is using HTTPS.

While it does work, I'm not crazy about it as I feel it would be better to have the cert presented be the letsencrypt one we have for the domain vs relying on CF for it, but this will work for now...
This won't be worth the effort because a) you need the Pro plan for this (you'll have to pay CF $20 per month unless you're doing that already) and b) Let's Encrypt certificates are only vaild for 3 months. You'll have to upload a new certificate at least every 3 months to CF (it's recommended to update the certificate after 2 months so you still have a month to fix it if something goes wrong). Doing that manually would be a hassle and I'm not sure if there's an automated script for this.

... which thinking about it, the redirect weirdness I was seeing may be because of CF and it's SSL settings for the proxy...  Will have to experiment on this later.
The problem might have been that CF didn't use SSL to connect to the HLP server which lead to the server not realising that the browser was using SSL.

There are still quite a few things which aren't loaded correctly:
  • The highlights CSS is still being loaded over HTTP instead of HTTPS which is why they're not displayed correctly (at least for me). To fix this open the theme's CSS file and turn that absolute URL into a relative path.
  • Google Ads
  • The front page is still loading images over HTTP which doesn't break anything but leads to the browser marking the website as "insecure" and displays warnings in the console.

 

Offline Goober5000

  • HLP Loremaster
  • Administrator
  • 214
    • Goober5000 Productions
Re: HTTPS access with Let's Encrypt?
Google Ads haven't worked in years, due to Google arbitrarily declaring that we were generating invalid clicks using bots or whatever, then kicking us off.  I told Sandwich to not bother with Google Ads in the new from-scratch version of the theme.

I have fixed all the hard-coded http:// links to be https://, and the highlights work again.  I see chief1983's suggestion about using // instead of hard-coding https://, but the ensuing discussion is somewhat Greek to me and I don't know if that invalidated it or not.  Should I change them again to // ?

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: HTTPS access with Let's Encrypt?
Rewrite rules don't change the server generated HTML which is why it didn't work. The correct solution would be to edit the forum settings or fix whatever was causing the forum to miss that the browser is using HTTPS.
Correct, which is why I was mentioning it to goob and/or sammich as they know the forum software much better than I do.

The rewrite rule I tried at first in the apache config was supposed to rewrite/redirect any and all requests with http to https, so in theory, it should have worked.  But that obviously didn't quite work.  :nervous:

This won't be worth the effort because a) you need the Pro plan for this (you'll have to pay CF $20 per month unless you're doing that already) and b) Let's Encrypt certificates are only vaild for 3 months. You'll have to upload a new certificate at least every 3 months to CF (it's recommended to update the certificate after 2 months so you still have a month to fix it if something goes wrong). Doing that manually would be a hassle and I'm not sure if there's an automated script for this.
Actually, there is automation scripts available from letsencrypt, or one could be rolled on our own.

Mainly, I look at it as being worthwhile so in case CF ever decides to charge for the https 'rewrite' feature, it can be turned off on that side and the server is still good to go.

The problem might have been that CF didn't use SSL to connect to the HLP server which lead to the server not realising that the browser was using SSL.
I don't think that is it.  These are the specific settings in CF:

Code: [Select]
Always use HTTPS
Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.

Automatic HTTPS Rewrites
Automatic HTTPS Rewrites helps fix mixed content by changing “http” to “https” for all resources or links on your web site that can be served with HTTPS.


These are the CF side 'rewrite' rules, so as long as anyone is accessing the site via the www.hard-light.net FQDN, CF does a transparent proxy kind of thing and puts everything in an SSL tunnel using their cert.

Not the best option, IMO, for a few reasons mentioned elsewhere, but it's workable for the bulk of the hard-light.net domain as a stop gap until the LE cert issues are hammered out

  • The highlights CSS is still being loaded over HTTP instead of HTTPS which is why they're not displayed correctly (at least for me). To fix this open the theme's CSS file and turn that absolute URL into a relative path.
Which a grep of the HLP_20 theme files doesn't turn up anything that is hard coded to http, and the few absolute URL's are already https.

Another reason I would rather see the site using the LE cert, it has the side effect of pointing out anything that was missed in The Great Server Move of 2017 (tm)  ;)
« Last Edit: November 24, 2017, 03:25:22 am by rev_posix »
--
POSIX is fine, as is Rev or RP.  EMail, PM or leaving me an IM on ICQ, even if I'm not showing up as online. is the best way to get ahold of me.

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."

 

Offline ngld

  • 28
Re: HTTPS access with Let's Encrypt?
Mainly, I look at it as being worthwhile so in case CF ever decides to charge for the https 'rewrite' feature, it can be turned off on that side and the server is still good to go.
If CF ever starts charging for HTTPS support you could use the Let's Encrypt certificate instead but then you'd still have to drop CF.


These are the CF side 'rewrite' rules, so as long as anyone is accessing the site via the www.hard-light.net FQDN, CF does a transparent proxy kind of thing and puts everything in an SSL tunnel using their cert.
That's one way to call it. It's basically a search&replace which fixes URLs on the fly in HTML. It doesn't seem to work reliably though since I just had a mix of http:// and https:// references which resulted in the CSS missing once again. It stopped once I clicked on the Reply button though.

Which a grep of the HLP_20 theme files doesn't turn up anything that is hard coded to http, and the few absolute URL's are already https.
That's because Goober already fixed that reference.

The wiki is broken right now. It's redirecting in a loop. I'm going to guess that CF redirects to https and MediaWiki redirects to http which leads to an infinite loop.

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: HTTPS access with Let's Encrypt?
If CF ever starts charging for HTTPS support you could use the Let's Encrypt certificate instead but then you'd still have to drop CF.
Actually no.  CF, up until this point, is used only for the DNS and anti-DDOS measures.  The HTTPS rewrite stuff is separate and isn't the main thing it was set up in the beginning.  I can't see us dropping CF full stop unless they start charging for the above mentioned services.

That's because Goober already fixed that reference.
Actually, I did find one more reference, which I did correct, but it didn't solve anything.  Forcing the forum to reset the theme URL base to https from http seems to have fixed more.  Unfortunately, either I'm blind and missing the config setting in the forum admin panels, or SMF doesn't have an option to direct everything over HTTPS in the current patch level.

The wiki is broken right now. It's redirecting in a loop. I'm going to guess that CF redirects to https and MediaWiki redirects to http which leads to an infinite loop.
Yes, I noticed that.  I turned off the 'force everything to https' option on the CF side, and left the rest on, so it should attempt to rewrite http to https only if the originating page is originally requested over https, but, as you noticed, isn't perfect.

Again, it's a temporary fix that will keep the bulk of the site encrypted as long as https is used in the URL

Side note, the redirect worked for the mantis install just fine.  Go figure
« Last Edit: November 24, 2017, 03:43:13 am by rev_posix »
--
POSIX is fine, as is Rev or RP.  EMail, PM or leaving me an IM on ICQ, even if I'm not showing up as online. is the best way to get ahold of me.

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."