Results 1 to 16 of 16

Thread: SSL for PE

  1. #1

    SSL for PE

    Hey guys, may I suggest that you use https for the PE site? You can get a free certificate from Let's Encrypt (which is backed by just about every major web org), that's very easy to install and setup. I can help if you need it.

    https://letsencrypt.org/
    "Always ready with the ray of sunshine"

  2. #2
    Nothing, guys?
    "Always ready with the ray of sunshine"

  3. #3
    Moderator Duncan Glenday's Avatar
    Join Date
    Oct 2012
    Location
    Frederick, MD
    Posts
    590
    Sorry - not (deliberately ) ignoring you - I'll get onto this shortly.

    Bear in mind that an SSL would have had NO impact on the hack we had a few weeks ago.
    Regards,

    Duncan

    This place has become the "Cheers" of the Internet.
    -- Rushfan

  4. #4
    But since we're typing a lot here, SSL would be good.. and free: https://letsencrypt.org/
    "Always ready with the ray of sunshine"

  5. #5
    Got forced to change my password by vBulletin this morning. I had been waiting to "upgrade" to a stronger password once I knew for certain PE was secure.

    How are things looking on that front?
    Ephemeral Sun - because I gotta do something about these boxes of CDs in the basement: http://www.ephemeralsun.com

  6. #6
    Outraged bystander markwoll's Avatar
    Join Date
    Nov 2012
    Location
    Northern Virginia
    Posts
    1,241
    Quote Originally Posted by battema View Post
    Got forced to change my password by vBulletin this morning. I had been waiting to "upgrade" to a stronger password once I knew for certain PE was secure.

    How are things looking on that front?
    I suspect crickets chirping
    "It is the mark of an educated mind to be able to entertain a thought without accepting it."
    -- Aristotle
    Nostalgia, you know, ain't what it used to be. Furthermore, they tells me, it never was.
    Mayonnaise on a hamburger is an Abomination.

  7. #7
    Yep, never hurts to ask tho
    Ephemeral Sun - because I gotta do something about these boxes of CDs in the basement: http://www.ephemeralsun.com

  8. #8
    Member Jerjo's Avatar
    Join Date
    Nov 2012
    Location
    small town in ND
    Posts
    2,830
    It's not like PE is Duncan's day job. It can wait.
    I don't like country music, but I don't mean to denigrate those who do. And for the people who like country music, denigrate means 'put down.'- Bob Newhart

  9. #9
    Moderator Sean's Avatar
    Join Date
    Oct 2012
    Location
    Georgia
    Posts
    1,150
    Duncan is overseas for the next few weeks.

  10. #10
    Yep, no instant worries Just thought I'd ask since the reset reminded me.

  11. #11
    Quote Originally Posted by Jerjo View Post
    It's not like PE is Duncan's day job. It can wait.
    As much as I appreciate the work involved (running my own sites), however Let's Encrypt is not only free, but takes minutes to set up. It's so easy, and protects all of us.
    "Always ready with the ray of sunshine"

  12. #12
    *bump*

    just fyi, but google chrome goes SSL by default on 7/24; PE doesn't load properly over SSL.
    Last edited by strawberrybrick; 07-23-2018 at 10:00 PM.
    "Always ready with the ray of sunshine"

  13. #13
    Quote Originally Posted by strawberrybrick View Post
    *bump*

    just fyi, but google chrome goes SSL by default on 7/24; PE doesn't load properly over SSL.
    The problem here is not all the elements are secure and the non-secure elements are being dropped by the browser.

    I recently converted progforums.com to SSL and used PHP code in the forum header to re-write the address bar to the https version of any page. This can also be achieved in the .htaccess file on Apache systems.

    One problem is, if one of your users links, for example, an image on a remote site that is not secure, the browser will report that the page security is broken and the image won't appear (or in IE, it'll ask you if you want to display the non-secure items). I was able to use the forum's censoring rules to convert some known addresses to https - for example I have a rule that converts http://www.progforums.com to https://www.progforums.com. This saved me having to find them all and correct them manually!

    Of course, you can't simply convert all http:// to https:// because you can't guarantee any particular remote site is secure.

    It is a bit of a can of worms, unfortunately

  14. #14
    On my sites, urls are written //www.whatever.com/ and the code appends the rest. I know it's worms, but there's no other way forward.
    "Always ready with the ray of sunshine"

  15. #15
    Well with forum software, its usually a case of changing a base URL somewhere in the database, but then you need to make sure anyone hitting the site from the old URL gets redirected to the secure version. This also helps search engines find your site and stops them thinking your site is duplicated.

    As I said, I did this in the php file that generates the header of each page and I assume a similar thing could be done to a vBulletin site.

    If I was going to do it here, my code would be something like this:

    Code:
    $redirect = false;
    
    $path = $_SERVER['REQUEST_URI'];
    
    
    
    
    
    $url = $_SERVER['HTTP_HOST'];
    
    if ($url != 'www.progressiveears.org') {
    
        $redirect = true;
    
    }
    
    $SSL_test = $_SERVER['HTTPS'];
    if ($SSL_test != true) {
      $redirect = true;
    
    }
    
    
    
    if ($redirect==true){
    
        header('HTTP/1.1 301 Moved Permanently');
    
        header('Location: https://www.progressiveears.org'  .$path);
    
    }
    This will ensure any incoming URL that doesn't match www.progressiveears.org or is not https gets rewritten.

  16. #16
    I run Apache, and use .htaccess to redirect to ssl/https.
    "Always ready with the ray of sunshine"

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •