How to offer both http and https access

[cloksin]

I would like to offer my members both http and https access to my forum.  I have two domain names registered and I host my own server, I'm running CentOS with Apache.  I would like to have one of the domains be http and the other be https and have both point to the same pages.  The URL that is displayed in the address bar of the browser would be of whichever one the user got into the site with.  When clicking on topics, or menu links, or threads the URL would remain the same and not revert to the other one. (ie, if I were to enter the forum using the https name when I click on a thread I would go to that thread and the URL would remain the https one).

This isn't being done in order to offer some secure data on the forum with one URL but not with the other, it is simply being done to accomodate several requests I've had by my members to offer the https option.

I know it can be done, I was once a member of a site that did the same thing, however that site is no longer around, and I have no idea how to do it. If anyone can help me that would be greatly appreciated.

[MrPhil]

It's good that you recognize that SSL won't really give all that much security, but if it makes some members happy... Just make sure that even with SSL you don't run afoul of information control regulations such as HIPAA (U.S. medical data confidentiality laws).

Note that you need to secure all the sensitive areas (with the proper permissions) so that guests cannot access them. It doesn't make much sense to put the whole thing under SSL when any random guest can simply waltz in and still read it (whether under https or http)!

I haven't actually tried putting an entire forum under SSL (https), but I think that if you avoid any hard-coded "http:" URLs on your own site (just give the path and filename in the URI), those links should be the same http: or https: that your page is under. Can anyone confirm or deny this? All addresses on your site (links, images, CSS, JS, etc.) would have to be in such format. If you're pulling in anything from another site that is non-SSL, that will be a problem. I think you would have to add code to check whether you're under SSL (getenv("HTTPS") == 1 or "on" rings a bell) and either avoid http: URLs or change them to https: (where supported). I don't think that links to non-SSL addresses (e.g., the copyright link to SMF) will cause any problems, except that you may get a browser warning when you click on them (that you're leaving a secure page).

Hopefully that will get you started, unless someone chimes in to say that I'm all wet.    This question has been asked a number of times before -- be sure to search on the subject, and let us know how you did it (or why it failed).

[cloksin]

ok, I got this to work, but there are still some things I need help with, so here is what I did and so far it is working great.

First, I use GoDaddy for my domain names, and I use wholesale internet for my host.  For around $60 a month¹ a get an unmanaged server with a block of 5 IP addresses.  The IP address of my server is the 1st IP in the block and also the IP of my non SSL domain name.

I purchased a second domain name and had to set up a virtual host in my httpd.conf file in order to point it to a second IP.  My httpd.conf file has this added to it.

Code Select Expand


<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName https://my new domain name
<Directory "var/www/html">
allow from all
Options +Indexes
</Directory>
</VirtualHost>


That sets up the domain to look at that IP address as well as the same document directory as my non SSL domain.  I also had to point my new domain to that IP in my GoDaddy account, as well as submit a rDNS request to my host.

Next I had to set up the certificate, I chose to purchase a certificate from GoDaddy for $50 a year (Verisign is like $400 a year).  I did this to avoid the possibility of getting certificate errors in the browsers.  Some of my members aren't the most technically literate and would get scared if they saw a certificate error, not knowing what it really means.

Once I purchased the certificate these are the steps I followed to set the certificate up.

Move into the /etc/pki/tls/certs/ directory.

1. Create a Certificate

OpenSSL should be installed on the server as this will be used to create the keys. Install on a CentOS server with:

yum install mod_ssl

Create a RSA private key for the server:

Wherever it says server.key, server.csr, or server.crt, substitute your new domain name for the word server.

# openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:


# openssl rsa -noout -text -in server.key
Enter pass phrase for server.key:


Create a Certificate Signing Request with the server's RSA private key


# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:

State or Province Name (full name) [Berkshire]:

Locality Name (eg, city) [Newbury]:

Organization Name (eg, company) [My Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=**/ST=**/L=**/O=**/CN=**/emailAddress=**Getting Private key

Enter pass phrase for server.key:

Copy the contents of the csr file and paste it into the certificate tool on GoDaddy.  This will generate your certificate and public key.  Once that is done download the domain.crt and the gd_bundle.crt files.

# cp server.crt /etc/pki/tls/certs/

# cp server.key /etc/pki/tls/private/

# cp server.csr /etc/pki/tls/private


# chmod go-rwx /etc/pki/tls/certs/server.crt

# chmod go-rwx /etc/pki/tls/private/server.key

# chmod go-rwx /etc/pki/tls/private/server.csr


Edit your httpd.conf (CentOS) and add these lines at the bottom of the VirtualHost tag block you just added:

SSLCertificateFile /etc/pki/lts/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt

Add this line to the top of the VirtualHost tag block:

SSLEngine On

Restart your webserver, you will be prompted to enter your pass phrase.

There is one more step necessary to make sure that your forum knows which to use, SSL or non-SSL.

Edit your Settings.php file:

find:

Code Select Expand



$boardurl = 'http://yourdomain.com/forum';     # URL to your forum's folder.  (without the trailing /!)



replace with:

Code Select Expand



if ($_SERVER['HTTPS']) {
$boardurl = 'https://yournewSSLdomain.com/forum';
}
else {
$boardurl = 'http://yourdomain.com/forum';
}



This accomplishes pretty much what I am trying to do.


¹EDIT: corrected pricing; original said $60 a year, corrected to say $60 a month

[cloksin]

Now, there are still a couple of things I would like to happen that I'm not quite clear on.  I would like to make access to the SSL site password protected, meaning one generic username and password that I can give to my members that they would have to input before they would be able to get to the SMF login page, where they would then input their personal credentials.  Not sure how to set that up.

Second, as per this thread, where I got a lot of my information on how to set this up http://www.simplemachines.org/community/index.php?topic=398876.msg2772663#msg2772663

it is mentioned that in order to make different themes and such work properly in this configuration a change needs to be made to make the url's relative paths instead of absolute paths.

Not each theme, but it IS done in the ACP and not Settings.php.

Configuration -> Themes and Layout.

There's a place at the bottom for the Base URL for the Themes directory. Don't touch the directory entry. but change the Base URL to "./Themes" and click the "Attempt to reset..." button.

When the page comes back, that field will again be filled with a fully qualified URL, but your themes listed above that should show like this:

Default Theme -
Theme directory (templates): /home/mainsite/public_html/forum/Themes/default (whatever path is right for YOU, of course)
URL to above directory: ./Themes/default
URL to images directory: ./Themes/default/images

Then Forum -> Smileys -> Settings for the Base URL for Smileys ("./Smileys")
Then Forum -> Attachment and Avatars -> Avatar Settings for both the Avatars URL and the Upload URL.

The problem is that I have tried to do exactly what is outlined here yet my themes revert to an absolute path of whatever domain I'm logged in under when I make the change.  Am I doing something wrong, is there a different way to do this?

While I do have a few different themes installed, they never worked correctly because of the mods I have installed, so all my members use the default curve theme.  One of my other big projects is creating several themes, and then rebuilding the site, installing the themes first, then all the mods, and then copying the database over to keep all the member info, boards, threads, PMs, etc.  I would like to have the bugs worked out of this SSL project before I start installing the themes on the rebuild.

[endus]

Sorry to bump this but just wanted to put in a recommendation for the above Settings.php change.

I wanted to do SSL for a variety of reasons (shoutbox not working at some companies with restrictive javascript filtering policies for one) but it was giving users errors because some of the content is not delivered securely (avatars).

Putting that snippet in Setttings.php to use whatever the user connected using worked perfectly.

[SlammedDime]

Editing the boardurl in Settings.php is the wrong way to go about it, as you will be mixing http and https when it comes to themes and such.  SMF has provisions for allowing multiple URLs to access the same site without any code modifications, or changes to settings.php, etc.

Please see this post: http://www.simplemachines.org/community/index.php?topic=414054.msg2912994#msg2912994

[endus]

I finally got around to trying the above and that does seem to work much better.  The themes were the major issue, not having them be secure, or having them be secure when the user is using the opposite protocol.  I *think* it's what is causing some issues for users on my site. I just made the change, reset the theme to the http URL, and everything (including https) works fine now.  I am hoping this resolves the issues.

[endus]

Sorry to bump this thread yet again but i wanted to give a quick update.

Doing it the second way mentioned is definitely the way to go.  I had a couple of users who were having problems with the forum...stylesheets and/or smilies were not loading properly.  It was because of mixing content http/https, but I don't think they were not allowing the mixed content in their browser, and most of the users were totally fine.  No specific browser...safari and firefox both did it for some people and not others, did it for people at work but not at home.

We had had some DNS issues when we migrated to a new host, so people had the IP.  They were able to get the site to load and work via IP, but not by URL.  It was very very strange and I still don't understand why it was happening.

However, doing things the second way fixed everything.  It allows you to set the site up with all the smilies URL's and etc. as http, and they automatically switch to https when the user is accessing the site that way.  It works much much better.  No more issues using the URL to access the site, no more shoutbox jumping from the smilies.

[cloksin]

Thanks for the update, I'm currently rebuilding my site from scratch with 2.0 (I've had a bunch of errors and things not working just right) and when I'm done I'll copy the database over.  I'm using the way I outlined on the current site, but will use this new method on my rebuild and will post an update as to how it works when I get to that point.

[nfpuu1u]

Hi!

Editing the boardurl in Settings.php is the wrong way to go about it, as you will be mixing http and https when it comes to themes and such.  SMF has provisions for allowing multiple URLs to access the same site without any code modifications, or changes to settings.php, etc.

Please see this post: http://www.simplemachines.org/community/index.php?topic=414054.msg2912994#msg2912994

Are there any other things to do (clear cache,...) to get this to work? I've uploaded and executed this script, the data was added to my database but i have still some links like the answer or new thread buttons or the links to my forums in the forum overview.

[Illori]

please open a separate topic for your question, this topic belongs to someone else and is marked solved.