Hard Light Productions Forums
Site Management => Site Support / Feedback => Topic started by: jg18 on January 09, 2017, 01:02:16 pm
-
I was wondering about the feasibility of having HTTPS as an option (or maybe even requirement?) for accessing the HLP forums and possibly also wiki, maybe even the entire site.
With free digital certificates from Let's Encrypt (https://letsencrypt.org/) that are trusted by all major browsers and can be set up to auto-renew as needed (they expire after 90 days), it seems like HTTPS support might be doable.
As for why do it in the first place, I figure that securing Web traffic is generallly A Good Thing, and it ensuress that the content of private boards stays private.
I suppose that using HTTPS could be an option rather than a requirement, although maybe allowing for unencrypted HTTP as an option defeats the purpose of supporting HTTPS?
Speaking of which, is authentication for the forums secure? Is wiki authentication secure?
What say The HLP Powers That Be? And what do other forum users think?
Thanks in advance for your consideration.
EDIT: It looks like the site is accessible through HTTPS, however Firefox gives me a warning that not all content is securely transmitted, and clicking on a link seems to take you back to regular HTTP. Also the forums don't appear correctly when using HTTPS (try it to see what I mean).
-
https on everything hard-light.net gets my vote
-
For what it's worth, I'd like it too.
-
Does anyone else think switching to HTTPS for HLP would be A Good Thing? Would especially appreciate thoughts from an admin.
-
Does anyone else think switching to HTTPS for HLP would be A Good Thing? Would especially appreciate thoughts from an admin.
It certainty wouldn't hurt.
It should be doable with the new build that is in progress, but the account 'owner' will need to be determined. But the bug is in the ear, and once we get closer to going live, we will look at implementing it.
-
Thanks, RP. :)
-
https on everything hard-light.net gets my vote
Concur.
-
I didn't even notice a new HTTPS thread, I'd brought it up in Site Feedback (maybe that's restricted access?) two years ago http://www.hard-light.net/forums/index.php?topic=90192.0
Still has my support, along with a new build that has a PHP with SHA-256 support :)
-
I'd brought it up in Site Feedback (maybe that's restricted access?)
Apparently so, since I can't access your link.
-
:bump:
Now that the server move has taken place and the forums are more or less back to normal, perhaps this can be looked into again? :)
-
That's the plan. I've been bugging rev_posix about it since the 7th.
-
That's the plan. I've been bugging rev_posix about it since the 7th.
Yes, yes you have. :P
I'm looking into it as I can. It's not quite a simple 'get this file and go' thing, there is a small amount of back end work that needs to be done.
*EDIT*: Ok, the cert is requested and in place. Most of the work appears to be automated by the current admin UI we are using now.
However, going to the site with https breaks the CSS (it doesn't show up), don't know if it's a browser thing or server. Feel free to look around yourself goob and see if you can spot the issue since you and sammich recently spent a lot of time fixing the theme, you two might be able to figure it out before I can. :)
-
The problem isn't directly related to CSS. It's more of a general link problem. The forum uses http:// for all its links. Once you change that to https:// it should work. (The browser refuses to load the CSS files over http:// if you're accessing the site with https:// because that'd be insecure which is why it doesn't show up).
EDIT: I'm not sure if the Let's Encrypt certificate is used since the traffic goes through CloudFlare. I can only see their certificate on my side. Can an admin please check if the connection between CloudFlare and the HLP server is also encrypted?
-
Get rid of the http altogether, just have //www.hard-light.net/blah.css. The browser will use whatever protocol the initial page loaded with to load the resources. This will allow toggling between http and https at any time without modification, and would make enabling forced https later easier.
-
The problem isn't directly related to CSS. It's more of a general link problem. The forum uses http:// for all its links. Once you change that to https:// it should work. (The browser refuses to load the CSS files over http:// if you're accessing the site with https:// because that'd be insecure which is why it doesn't show up).
That's more or less what I was thinking now that it's not 'way early been up too long' AM for me. :P
However, it's not a simple rewrite rule change as the usual rewrite or redirect rules cause some kind of loop and my browsers won't load the page with it turned on.
EDIT: I'm not sure if the Let's Encrypt certificate is used since the traffic goes through CloudFlare. I can only see their certificate on my side. Can an admin please check if the connection between CloudFlare and the HLP server is also encrypted?
It is, but it wasn't set to automagically rewrite/force any and all calls to the web site to be redone as https (which I just turned on).
While it does work, I'm not crazy about it as I feel it would be better to have the cert presented be the letsencrypt one we have for the domain vs relying on CF for it, but this will work for now... which thinking about it, the redirect weirdness I was seeing may be because of CF and it's SSL settings for the proxy... Will have to experiment on this later.
-
However, it's not a simple rewrite rule change as the usual rewrite or redirect rules cause some kind of loop and my browsers won't load the page with it turned on.
Rewrite rules don't change the server generated HTML which is why it didn't work. The correct solution would be to edit the forum settings or fix whatever was causing the forum to miss that the browser is using HTTPS.
While it does work, I'm not crazy about it as I feel it would be better to have the cert presented be the letsencrypt one we have for the domain vs relying on CF for it, but this will work for now...
This won't be worth the effort because a) you need the Pro plan for this (you'll have to pay CF $20 per month unless you're doing that already) and b) Let's Encrypt certificates are only vaild for 3 months. You'll have to upload a new certificate at least every 3 months to CF (it's recommended to update the certificate after 2 months so you still have a month to fix it if something goes wrong). Doing that manually would be a hassle and I'm not sure if there's an automated script for this.
... which thinking about it, the redirect weirdness I was seeing may be because of CF and it's SSL settings for the proxy... Will have to experiment on this later.
The problem might have been that CF didn't use SSL to connect to the HLP server which lead to the server not realising that the browser was using SSL.
There are still quite a few things which aren't loaded correctly:
- The highlights CSS is still being loaded over HTTP instead of HTTPS which is why they're not displayed correctly (at least for me). To fix this open the theme's CSS file and turn that absolute URL into a relative path.
- Google Ads
- The front page is still loading images over HTTP which doesn't break anything but leads to the browser marking the website as "insecure" and displays warnings in the console.
-
Google Ads haven't worked in years, due to Google arbitrarily declaring that we were generating invalid clicks using bots or whatever, then kicking us off. I told Sandwich to not bother with Google Ads in the new from-scratch version of the theme.
I have fixed all the hard-coded http:// links to be https://, and the highlights work again. I see chief1983's suggestion about using // instead of hard-coding https://, but the ensuing discussion is somewhat Greek to me and I don't know if that invalidated it or not. Should I change them again to // ?
-
Rewrite rules don't change the server generated HTML which is why it didn't work. The correct solution would be to edit the forum settings or fix whatever was causing the forum to miss that the browser is using HTTPS.
Correct, which is why I was mentioning it to goob and/or sammich as they know the forum software much better than I do.
The rewrite rule I tried at first in the apache config was supposed to rewrite/redirect any and all requests with http to https, so in theory, it should have worked. But that obviously didn't quite work. :nervous:
This won't be worth the effort because a) you need the Pro plan for this (you'll have to pay CF $20 per month unless you're doing that already) and b) Let's Encrypt certificates are only vaild for 3 months. You'll have to upload a new certificate at least every 3 months to CF (it's recommended to update the certificate after 2 months so you still have a month to fix it if something goes wrong). Doing that manually would be a hassle and I'm not sure if there's an automated script for this.
Actually, there is automation scripts available from letsencrypt, or one could be rolled on our own.
Mainly, I look at it as being worthwhile so in case CF ever decides to charge for the https 'rewrite' feature, it can be turned off on that side and the server is still good to go.
The problem might have been that CF didn't use SSL to connect to the HLP server which lead to the server not realising that the browser was using SSL.
I don't think that is it. These are the specific settings in CF:
Always use HTTPS
Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.
Automatic HTTPS Rewrites
Automatic HTTPS Rewrites helps fix mixed content by changing “http” to “https” for all resources or links on your web site that can be served with HTTPS.
These are the CF side 'rewrite' rules, so as long as anyone is accessing the site via the www.hard-light.net FQDN, CF does a transparent proxy kind of thing and puts everything in an SSL tunnel using their cert.
Not the best option, IMO, for a few reasons mentioned elsewhere, but it's workable for the bulk of the hard-light.net domain as a stop gap until the LE cert issues are hammered out
- The highlights CSS is still being loaded over HTTP instead of HTTPS which is why they're not displayed correctly (at least for me). To fix this open the theme's CSS file and turn that absolute URL into a relative path.
Which a grep of the HLP_20 theme files doesn't turn up anything that is hard coded to http, and the few absolute URL's are already https.
Another reason I would rather see the site using the LE cert, it has the side effect of pointing out anything that was missed in The Great Server Move of 2017 (tm) ;)
-
Mainly, I look at it as being worthwhile so in case CF ever decides to charge for the https 'rewrite' feature, it can be turned off on that side and the server is still good to go.
If CF ever starts charging for HTTPS support you could use the Let's Encrypt certificate instead but then you'd still have to drop CF.
These are the CF side 'rewrite' rules, so as long as anyone is accessing the site via the www.hard-light.net FQDN, CF does a transparent proxy kind of thing and puts everything in an SSL tunnel using their cert.
That's one way to call it. It's basically a search&replace which fixes URLs on the fly in HTML. It doesn't seem to work reliably though since I just had a mix of http:// and https:// references which resulted in the CSS missing once again. It stopped once I clicked on the Reply button though.
Which a grep of the HLP_20 theme files doesn't turn up anything that is hard coded to http, and the few absolute URL's are already https.
That's because Goober already fixed that reference.
The wiki is broken right now. It's redirecting in a loop. I'm going to guess that CF redirects to https and MediaWiki redirects to http which leads to an infinite loop.
-
If CF ever starts charging for HTTPS support you could use the Let's Encrypt certificate instead but then you'd still have to drop CF.
Actually no. CF, up until this point, is used only for the DNS and anti-DDOS measures. The HTTPS rewrite stuff is separate and isn't the main thing it was set up in the beginning. I can't see us dropping CF full stop unless they start charging for the above mentioned services.
That's because Goober already fixed that reference.
Actually, I did find one more reference, which I did correct, but it didn't solve anything. Forcing the forum to reset the theme URL base to https from http seems to have fixed more. Unfortunately, either I'm blind and missing the config setting in the forum admin panels, or SMF doesn't have an option to direct everything over HTTPS in the current patch level.
The wiki is broken right now. It's redirecting in a loop. I'm going to guess that CF redirects to https and MediaWiki redirects to http which leads to an infinite loop.
Yes, I noticed that. I turned off the 'force everything to https' option on the CF side, and left the rest on, so it should attempt to rewrite http to https only if the originating page is originally requested over https, but, as you noticed, isn't perfect.
Again, it's a temporary fix that will keep the bulk of the site encrypted as long as https is used in the URL
Side note, the redirect worked for the mantis install just fine. Go figure
-
Actually no. CF, up until this point, is used only for the DNS and anti-DDOS measures. The HTTPS rewrite stuff is separate and isn't the main thing it was set up in the beginning. I can't see us dropping CF full stop unless they start charging for the above mentioned services.
Yes, but I wasn't talking about the HTTPS rewrite stuff. I was talking about HTTPS support in general.
If you want to use your own certificate and don't want to pay CF for HTTPS support, you can't use their HTTP proxy. AFAIK CF doesn't support TCP proxying so the end result would be that you'd have to drop CF in that case. I just don't see any way around that. Feel free to correct me if I'm wrong.
Again, it's a temporary fix that will keep the bulk of the site encrypted as long as https is used in the URL
Thanks for fixing this!
-
@goober not sure if you should use the //domain thing or not, but using relative links as suggested, would work as well, as long as all the stuff lives at the same domain.
-
There's a rewrite rule that will redirect all http://hard-light.net traffic to http://www.hard-light.net. There's another one that will redirect www.hard-light.net/wiki to wiki.hard-light.net, and a third that will redirect www.hard-light.net/mantis to mantis.hard-light.net. Are any of these pertinent to the current problem?
Actually, I did find one more reference, which I did correct, but it didn't solve anything.
Which reference was this?
-
There's a rewrite rule that will redirect all http://hard-light.net traffic to http://www.hard-light.net. There's another one that will redirect www.hard-light.net/wiki to wiki.hard-light.net, and a third that will redirect www.hard-light.net/mantis to mantis.hard-light.net. Are any of these pertinent to the current problem?
Actually, I did find one more reference, which I did correct, but it didn't solve anything.
Which reference was this?
I honestly don't recall right now, I did a grep of the CSS file for hard-light and found one line that had http in it, and changed it to https