SS!/https version of repair_settings.php ?

Started by aegersz, November 27, 2016, 09:43:49 PM

Previous topic - Next topic

aegersz

The version of repair_settings.php that i have does NOT support https/SSL, unless you can tell me something that I overlooked.

Is there a version that does, please ?

otherwise, i have to change my Theme defaults and Server Settings Paths manually, it's no big deal but i thought maybe it would make life a little easier and i'm thinking that you have to do it eventually.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

vbgamer45

Doesn't exist currently SMF 2.0 originally wasn't built with https in mind
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Kindred

Ummm... it seemed to work for me when I switched my sites to https.

I changed the htaccess first, and then changed the based URLs
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

aegersz

Well Kindred, if you try it now but without changing everything, I'd be interested to see what it suggests to you ... it's no big deal though
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

aegersz

it doesn't matter, i adapted it myself. I changed the line shown below from "http:" to "https:"

$url = 'https://' . $host . substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/'));

tested and works well.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

willerby

Ok, I'm new to SSL/https and have just implemented on my forum/host without thinking through the implications. I can now no longer log in and nor can my members. Bit of a cock-up.

I'm reading aegersz posts and don't fully understand what I need to do. Could someone elaborate and provide a step by step guide? Pretty please...

This all came about because I use Tapatalk BYO which will require https from 1st January to continue working on Apple. I'm beginning to think I have seriously messed up here  :-\
What type of washing machine is September?

An autumnatic. :)

d3vcho

Hello!

Go to Repair_Settings.php and change line 472 to what aegersz posted. Don't know if that's the best solution.

Regards :)
"Greeting Death as an old friend, they departed this life as equals"

willerby

Where is repair_settings.php, I can't find it anywhere?
What type of washing machine is September?

An autumnatic. :)

d3vcho

Sorry, I thought you already got the file. You can download it here: http://download.simplemachines.org/?tools

Regards :)
"Greeting Death as an old friend, they departed this life as equals"

willerby

Ok, so I make the change then upload the file to root (or /forum sub-directory?) and access it on a browser. Is that correct? I'm used to editing php code but never had to use this before. Thanks
What type of washing machine is September?

An autumnatic. :)

d3vcho

If your forum is in a subdirectory, you'll have to access through it, for example: web.com/forum/repair_settings.php

Regards :)
"Greeting Death as an old friend, they departed this life as equals"

willerby

Thanks for the clarification.

Unfortunately, on its own the repair_settings.php simple amend didn't work for me, I suspect due to the many mods and tailored code / portal front end etc that I have built over the years. My host has kindly removed SSL and all is back as it should be but this now creates a little conundrum for me.

I have already moved to a custom Responsive theme and allowed my club members to access via Tapatalk BYO for Apple IoS and Android/Google. Regular users like the simpler interfaces of the App on their phones, preferring the Responsive full site for tablets and desktop/laptops (which is also pretty good for irregular phone visitors). Given all of these options really needs https:// at some point in the future I have the feeling I am going to have to undergo a major revamp when 2.1 goes RC, or get under the bonnet and manually fix the issues various mods may be having in 2.0.12.

Right now looks like its goodbye to Tapatalk from 1st January. :(
What type of washing machine is September?

An autumnatic. :)

Kindred

my site is running https/ssl just fine...  so, SMF works perfectly well on https already

(that being said, I think that tapatalk is a complete waste, myself)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

yamiacaveman

I had no problem updating to SSL

Under these conditions -- My site was a relatively new install although many mods had been installed.
My Web Server Hosts - aided my conversion

  They offered a free SSL certificate and they made sure it was enabled form me.
  The redirect to 301 from HTTP to HTTPS did not seem to work so they wrote and installed a few lines of code in my .htaccess file and that corrected the going to SSL problem
  Some things still did not work or I was not getting the green bar or pad lock on some of my pages.
  My host directed me to the repair-settings program -- READ and Followed the directions to the best of my limited abilities in the repair _settings program

My version 2.0.12
I believe I ran the database first
then the urls
then I had to adjust manually urls that were listed as HTTP to HTTPS
Had no problems

I don't know if the order of doing things has anything to do with it, again with help from my host, because I know nothing, I made it through the conversion basically painless.

So in my case
got SSL up and running first
Got redirect up and running
Ran the repair_sttings -- first database then URL's then had to manually adjust some URL's
No problems.

I hope that helps and hope you get it going.

yamiacaveman



aegersz

My suggested change to Repair_Settings.php can be of use also to cloned systems or your test systems, if they run SSL.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Illori

Quote from: aegersz on December 20, 2016, 12:58:33 AM
My suggested change to Repair_Settings.php can be of use also to cloned systems or your test systems, if they run SSL.

we are working on updating repair_settings.php [all in lowercase] to support https URLs.

aegersz

Good move ... at least we started to get the ball rolling on this matter.

Moving to SSL gave me the impetus to secure the other weaknesses on my whole server.

My members asked me many times to implement SSL as they saw my site as a potential risk and weren't really happy about it considering that if anybody managed to access their email addresses then significant legal actions could possibly ensue (by law enforcement). It's is conceivable that I could be subpoenaed to turn over my entire database if we fail  to enforce our strict rules.

It's all about keeping my members happy and I take each complaint seriously.

I use repair_settings.php every time I refresh my cloned and test/mirror site (often daily). The cloned site allows us admins and staff to access any member to see what they might be up if we suspect that are trying to trade.

Thanks for addressing it.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Mike66

Quote from: Illori on December 20, 2016, 05:19:22 AM
Quote from: aegersz on December 20, 2016, 12:58:33 AM
My suggested change to Repair_Settings.php can be of use also to cloned systems or your test systems, if they run SSL.

we are working on updating repair_settings.php [all in lowercase] to support https URLs.

Hi Illori,

Is this now updated and ready to use for a simple https conversion please?

I am considering moving to SSL, but will only do so if the move is hassle free 'for dummies'  :D

Best wishes
Mike

Illori

it should be uploaded as far as i know but you should wait until 2.0.14 unless you want all your images users may embed in posts to cause issues.

Mike66

Thanks for your reply ..... I'll keep an eye open for 2.0.14  :)

Best wishes
Mike

richardwbb

I wonder, Illori, is there a way to make any browser to 'try' https, with every possible [http] link the forum software encounters, [I'm aware of performance penalty, that isn't why I am asking you, but this has my interest too], then, on a 404 or port closed, try http, to probably succeed or to confirm it indeed seems to be a 404.

I am using https now, with the help of Let's Encrypt and aegersz, but, as I learned from someone's code, putting '//domain.tld' makes a browser go with http, or, https, based on what protocol is matter of course. But, making the forum software, change; 'http' to; 'https', [I'm not aware how, but I am able to change all 'http' in a MySQL dump to https], will result in a 404 for providers that do not have ssl enabled.

Can you shed some light on this, since, I've learned that *some* modifications, [that are really, and I mean, really, competent], are surpassed by time, since they contain 'http://domain.tld' coding, while '//domain.tld' works cross-browser, and it makes 'http', or 'https', preferable, as the matter of course.

Quote from: Illori on February 24, 2017, 05:03:32 AM
it should be uploaded as far as i know but you should wait until 2.0.14 unless you want all your images users may embed in posts to cause issues.
If my post in this topic looks ambiguous to you, then I'm with Murphy's law and General Stupidity. In other words, trial and error.

Arantor

HTTPS Everywhere would be the solution for that, but there's still large amounts of the web that do not do HTTPS - and you'd be surprised that not everywhere actually *needs* it because browsers aren't going to list pages as insecure unless they have a form on them with a password and no HTTPS.

This site, for example, does not list 'insecure' for me even in current Chrome, while I'm logged in.

Forcing all links to go in this fashion is not actually particularly clever in the scheme of things because until they actually go HTTPS their end, you can end up with a poor experience depending on various things. I've even see cases where you go to https://example.com/ and end up getting a completely different site because of misconfiguration of Apache and the fact both sites are hosted on the same server.

As sites migrate to HTTPS, they'll also start putting in redirects - and the smart ones will use HSTS anyway so the browser can be told 'don't bother trying HTTP, for the next x days, just assume I want you to use HTTPS' and they'll automatically do it without even having to have a server roundtrip.

richardwbb

Hey Arantor. If you are reading this, you might want to skip over to the code and just read everything beneath. [or just forget about my point I try to make, I won't mind, since I am confident [by reading this forum for quite some hours], that SMF won't fail on its community].

I value your words. I noticed you have spoken from a client perspective and I noticed with that, I didn't take this in consideration. Also, now I've read a little about HSTS, I noticed that it protects one of 'cookie hijacking', since I read somewhere; 'In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session'. With 'valid computer session', I find it safe to assume that SMF will take that in consideration over my personal preference, and, in that case, I will wait patiently.

For HTTPS everywhere, I'm a sincere user of Mozilla Firefox. Of course I am running Chrome [As a developer I need it], but, their way of storing settings I just won't get used to and it might just be me, but I'm just not willing to install a modification for a big browser brand, to let me choose which url to connect with, 'open new tab'. I find their way of sovling this, both, genius [eighty percent or more of all internet servers prefer Chrome], and obstructing [I find that; Mozilla Firefox is like Apache is to Nginx]. Most users will prefer Chrome over Firefox, and forgive my ranting, the Firefox developer tool I understand, and that I found hard enough.

I wasn't aware it isn't wise to force all links in this fashion, as you have written. I understand from investigating on a single forum I am Site Admin of, and that is not similar to the broader situation you have spoken of, of course. The point was, users post links to images, hosted by another 'cdn' or 'myalbum', 'imgur'. Now, some of those hosts, support https, and some just don't or are totally free and ask for this particular case, a small fee. 

However, I am not able to refine of your words, what exactly has been running your mind. I've learned that, Firefox, since version fourtyseven [and possibly even older], until now, is dropping javascript that is comming from 'http'. And, after noticing, that *something*, isn't 'https', it starts notifying the user, that; 'there might be a picture that has been altered since it wasn't a secure connection', which made me laugh, but I also understand that of all surfers of the internet, a lot of them aren't paying attention to security, no matter if they are able to understand what this is or not.

Now, my Mozilla Firefox, and Google Chrome browser is running in my native language, [so I'm not able to quote the exactly] but I find it awkward, that, Firefox is, very, very protective, to their users, and Chrome is closer to notifying the user that;' 'the domain the user went to. meaning; the forum I care for, meaning; what is important to me', is secure, but, 'there are sources on it that are not secured', meaning there is a javascript or jpg that is called for over http.

Now, the latter, is working quite well and for Mozilla Firefox, no matter what, I've had to use pretty urls 'updateSettings(array('pretty_root_url' => $boardurl)', to tell it to use https [to everyone; this isn't SMF related], and, to use 'repair_settings.php' and change all those 'http' to 'https', and finally; there is only *one* way I found that is working [since php isn't always reporting '$_SERVER["HTTPS"]' by var_dump, or even still saying 'port 80', while it really is 'port 443'. That I had to use [to make SMF and Firefox agree to redirect all http redirects to https [this means; Mozilla Firefox, detected http, dropping to http, and; htaccess redirecting to https, meaning; http isn't supported any longer at all]; If that wasn't clear, the darn thing keeps dropping to http and htaccess keeps kicking it to https and that is just Mozilla Firefox, meaning, any browser could behave like this and I wasn't able to achieve this behaviour [which is preffered, what is the maximum that is possible, to open every page that holds *no* http query, and show a 'green and secure logo', without notification of something, very, very, small, to all the users in the whole world, I spoke with peope close to me, they usually don't know what I'm asking when I say 'secure web page']. and this has to be solved with htaccess. Since browsers won't default to https, but always will prefer http first [think about it, the whole world we live in receives the news we should use https, well, this is what happening in the way, the Mozilla and the Chrome, can't be blamed, they are blaming the administrators, meaning, you.]

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]


I understand that this is a long story [again, sry], but please be notified, Mozilla Firefox, keeps dropping https to http, and this code has helped me. [I'm not getting this since I assume that SMF forum software running 'https', can not fall back. It did this with Chrome, another browser so unknown I won't mention it, and Mozilla Firefox 51, kept dropping to 'http', since it was available [my ISP won't allow me to close port 80, which I won't blame them for], when; a single picture, or javascript was called over http.

And for a forum, an image inclusion over http, can not be changed to a mandatory https query, since the remote host might not support this, and that would obstruct regular users that make me happy since they are *able* to post an image, make pull their hair out on a security issue, which doesn't interest them and which I believe shouldn't be bothering them.

For the long post; I noticed that Mozilla Firefox holds a different view and Chrome is more forgiving on this, Mozilla Firefox users are scared a bit I find, and Chrome is to the point. In the end, without a redirect by htaccess, I couldn't get Mozilla Firefox to drop javascript [meaning that Fancybox seized working], and Chrome would take this. I wonder if there is anyone that has written a standard for this, and if so, if Mozilla Firefox and Google Chrome had a different way of interpreting.

Finally, for the people that made it up to here in my post; it would be a lot easier, if browsers preferred https over http, then keep notifying users that usually don't even know the word 'security', or 'https', then giving administrators an headache overcoming this. This I find uphill behaviour, Google Chrome and Mozilla Firefox, can't be blamed [take my word for it, their preferal of https over http will give them problems], and they put my administrator life in to misery, which I have no respect for at all.

p.s. I couldn't learn why the code that has been '#', won't work for Mozilla Firefox, while the code just above does. Also, be aware, I'm being a bit fundamental here, there are easier ways to solve every issue anyone might run in to, I'm just after, a fix once, and support every 'silly' combination internet surfers come up with, [don't forget the mobile phone with it's native browser, which isn't Firefox or Chrome], since I believe they [the casual internet surfer] *can* be unaware, and therefore, are perfectly able to do so. And another one, anyone getting this, it just makes no sense to contact Mozilla Firefox for this and explain to them this is a reason out of many I am aware of, why they currently losing marketshare to Google Chrome [which I find isn't the liberty, people deserved in the first place with the internet, open source and such]. A final word, don't ask me about EU Cookie Law. It will be a long post. ;)
If my post in this topic looks ambiguous to you, then I'm with Murphy's law and General Stupidity. In other words, trial and error.

Jailer

Do a 301 redirect in your server config and be done with it. It really is as simple as that.

Once you've got that working then you can enable HSTS and your visitors will all be connecting via https after their first visit.

Arantor

Quoteuntil now, is dropping javascript that is comming from 'http'

If the JS is coming from HTTP but the overall site is HTTPS, there's your problem - mixed content is considered insecure and JS from HTTP will not be run on an HTTPS site on the presumption that HTTPS is considered more secure. A 301 or ensuring all paths are correct will fix that for your site, but you can't fix other peoples' sites.

To fix the images-over-HTTP problem, the solution isn't to sit and have some kind of rewrite, but to proxy the image. 2.1 already supports this, I believe it's being backported to 2.0.14 but don't quote me on that - it means the server makes the HTTP request and serves the content to your user over HTTPS without them having to do anything.

The 'falling back to HTTP' issue sounds like something wasn't configured to use HTTPS, perhaps the forum, perhaps theme paths, not sure what without seeing the URL in question.

The problem with browsers 'preferring' one content scheme over another is largely a historical matter when certificates used to be expensive and hard to set up (and in some cases actually problematic to set up before things like SNI came along), plus the fact that for a long time the additional processing cost of the encryption made it only worthwhile for sensitive matters, but Moore's Law has largely fixed that over the last 20 years or so.

As for FF losing market share to Chrome, there are several reasons. Their hardline stance on ideology (cf. things like not supporting h.264 out of the box) is admirable but the reality is that users don't care. Users see videos not playing in the browser, assume the browser can't do it, not that the browser makers chose for it not to by default. Then you have the attempt at diversification into areas no-one cared about (Firefox OS), you have the various ways they've built up and subsequently removed plugin features (XPCOM and XUL, meaning that programmers largely had to rewrite, or ditch, their plugins)

Plus you have the technical issues; FF leaks memory more than Chrome does, it's frequently slower than Chrome and suddenly people find that whatever ideological merits Mozilla has, they still have stuff they want to do, whether it's work or watching cat videos on YouTube.

richardwbb

I've made;

.htaccess;
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


and used a modified version of repair_settings.php, which 'aegesrz' gave to me. It wouldn't be hard to create your own either.

It is a while ago, but I believe I had to do more, it where three steps, not two, for Firefox. Some hard used browsers did swear up too. But Firefox is a good browser and Chrome no different, my opinion is biased and that I'm used to Firefox. Some sites offer the apple version, [Safari I believe], Chrome and IE. :/

Ah, I remember now, te HSTS, with the 'Strict-Transport-Security: max-age=31536000', not remembering but that was Arantor's point and I'm using it now. I didn't take that max age variable serious, for the code and what it does, I believe a on/off construction would have be more enlighting to me.

Now I wonder if there is a way to tell simplemachines by index.template.php or somewhere else, that I supply a list of valid https content hosters, which there are and considering to change signatured of people since it can be https link existing, but the user didn't use it which I won't blame them for of course.

And another quick tip, instead of changing any hard coded http://domain.tld, use //domain.tld, browsers stick with the 80 or the 443 they are on. It fixed my version of FancyBox 4 SMF, it's going http:// hard coded on two places in the code. Firefox drops it and it says '00' somewhere in the generated by php, html code. Chrome runs it. It is a good mod, I've mailed the guy with the panda a fan-mail but didn't hear from him, which I regret.
If my post in this topic looks ambiguous to you, then I'm with Murphy's law and General Stupidity. In other words, trial and error.

Advertisement: