HTTP & HTTPS for same forum

JBlaze · August 18, 2014, 06:46:24 PM

I'm building a site for a client that is using SMF, and the client would like to know if it is possible to access the same forum through both HTTP and HTTPS on different subdomains.

An example would be the same forum residing on http://www.example.com/forum and https://secure.example.com/forum

I'm sure it's possible, but how much work am I realistically looking at to accomplish this? It's a firearms-based community, so I am dealing with a bunch of paranoid members, so talking them out of using either HTTP or HTTPS alone would not end well.

Arantor · August 18, 2014, 06:52:07 PM

In theory it's doable, it's just messy.

The way I'd do it would be to have intercepts early on in the process, whereby it detects the requested $_SERVER['HTTP_HOST'] (which gives you the domain name), switch out $boardurl and the various $settings stuff as they get defined so that the system thinks it's configured based on whatever the request said.

Where it gets complicated, though, is where you have links from HTTP being dropped on the HTTPS which would see the security drop.

Honestly, I'd suggest going HTTPS throughout and just be done with it. If the community is paranoid, they're going to want that and those that don't care, won't care anyway. Then your only real problem is dealing with the img tags where you ideally need to shuffle them through an HTTPS proxy (i.e. your code) when they're not on a secure endpoint the other end. I believe Dragooon added some stuff into 2.1 for this.

JBlaze · August 18, 2014, 07:00:53 PM

That's much easier than I originally thought. I'll see if I can't get the client to agree with just going with HTTPS, which means I'm going to have to nudge them into buying a SSL cert rather than the self-signed route they'd like to go (/facepalm). I'm pretty sure they can afford the $10/yr it costs to get a RapidSSL cert through their host.

As for the images, I've already told the client that, ideally, all media should be uploaded directly to the server if possible rather than externally linked (exception for youtube videos and the like). This would avoid the issue of the browser flagging unsecured external links.

I'll see how much trouble it will be to attempt and run both subdomains, and then present it to the client from there. This job has really turned into a royal pain in the rear

Arantor · August 18, 2014, 07:07:17 PM

If they're serious about SSL, self-signed is not the way to go. There's nothing quite like the big scary warning to sway the uncertain away from the site anyway.

JBlaze · August 18, 2014, 07:08:33 PM

Quote from: ‽ on August 18, 2014, 07:07:17 PM
If they're serious about SSL, self-signed is not the way to go. There's nothing quite like the big scary warning to sway the uncertain away from the site anyway.

I tried explaining that, to which they replied with wanting to use both HTTP and HTTPS. It's been rather... fun dealing with this one.

Arantor · August 18, 2014, 07:09:48 PM

It sounds like it. I'd almost be tempted to fire them.

JBlaze · August 18, 2014, 07:10:58 PM

Quote from: ‽ on August 18, 2014, 07:09:48 PM
It sounds like it. I'd almost be tempted to fire them.

Just another life lesson for me. Never take on jobs for friends of friends.

Arantor · August 18, 2014, 07:12:09 PM

Nearly over, your time of being a padawan learner is.

JBlaze · August 18, 2014, 07:17:08 PM

Quote from: ‽ on August 18, 2014, 07:12:09 PM
Nearly over, your time of being a padawan learner is.

And to think, I've been doing freelance for 5+ years now...

Arantor · August 18, 2014, 07:18:52 PM

Yup, but sometimes it takes years of experience to learn certain lessons.

But yeah, you've probably learned pretty much all the lessons you're going to learn by now I think.

JBlaze · August 19, 2014, 02:51:10 PM

Ok, convinced the client to go the full SSL route. So all is well. I may look into seeing what I can do to have a single SMF install accessible through two or more domains as a side project since this instance got me a bit curious. But that will have to wait until I'm done with this client, which won't be soon enough :/

Arantor · August 19, 2014, 02:53:24 PM

Part of the problem of making it accessible under multiple domains is the inevitable penalty from Google for duplicate content, though of course you get all the usual realms of people cross-linking posts and effectively bouncing between domains without realising.

JBlaze · August 19, 2014, 02:56:58 PM

Quote from: ‽ on August 19, 2014, 02:53:24 PM
Part of the problem of making it accessible under multiple domains is the inevitable penalty from Google for duplicate content, though of course you get all the usual realms of people cross-linking posts and effectively bouncing between domains without realising.

True, although the Google issue can be solved by having it noindex on all but the primary domain, no? And I'm sure there's a way to fix backlinks to be fixed according to a user's preferred domain set in their profile? It sounds good now, but I'm sure there's many problems awaiting me when I start digging heh.

News:

HTTP & HTTPS for same forum