Simple Machines Community Forum

SMF Support => SMF 2.1.x Support => Topic started by: MultiformeIngegno on February 10, 2019, 05:55:39 PM

Title: You can only login via HTTPS
Post by: MultiformeIngegno on February 10, 2019, 05:55:39 PM
I just tried upgrading my forum from 2.0.15 to 2.1 RC1 (actually the current branch on GitHub). I run the upgrade script but when I try to go to the home page I see this error: "You can only login via HTTPS".
I am always redirected to /?sslRedirect. The problem is that I AM logged in using https. I tried opening a private browsing tab and going directly to https://mysite but I still see the error:

(https://i.imgur.com/qa1E6o5l.png)

EDIT: Seems to be related to this https://sea-region.github.com/SimpleMachines/SMF2.1/issues/5115

I'm on PHP 7.2, database is MySQL and I had https working with 2.0.15
Title: Re: You can only login via HTTPS
Post by: Arantor on February 10, 2019, 05:58:31 PM
Do you have nginx as a proxy in front of Apache?
Title: Re: You can only login via HTTPS
Post by: MultiformeIngegno on February 10, 2019, 06:02:27 PM
Quote from: Arantor on February 10, 2019, 05:58:31 PM
Do you have nginx as a proxy in front of Apache?
I'm on Gandi's Simple Hosting (they're just using Apache). I am using Cloudflare as proxy (and to serve the SSL certificate).
Title: Re: You can only login via HTTPS
Post by: Arantor on February 10, 2019, 06:13:28 PM
Ah so there's likely your problem - it sounds like SNI termination: Cloudflare will handle the certificate, but by the time it gets to SMF, it's not actually using HTTPS between Cloudflare and your server so your server thinks it's running HTTP.

I forget which option you need to turn off but there's one of the new options in 2.1 that has been turned on to force HTTPS login.
Title: Re: You can only login via HTTPS
Post by: MultiformeIngegno on February 10, 2019, 06:55:05 PM
Yep, you were right. I generated a certificate and changed Cloudflare to connect to my server using https. That solved it. Maybe it'd be good to have some sort of explanation or have a check before enabling that option during the upgrade process..?
Title: Re: You can only login via HTTPS
Post by: albertlast on February 11, 2019, 12:14:53 AM
Could you explain how smf can check this?
Title: Re: You can only login via HTTPS
Post by: Arantor on February 11, 2019, 02:03:12 AM
Quote from: albertlast on February 11, 2019, 12:14:53 AM
Could you explain how smf can check this?

It can't. It shouldn't even try because it has literally no way of knowing it isn't supposed to use HTTPS mandatorily in this case.