News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SSL offloading an SMF forum

Started by Floyd-ATC, October 29, 2015, 03:38:48 PM

Previous topic - Next topic

Floyd-ATC

I have experimented a bit with using my Linux based keepalived/haproxy cluster to do SSL offloading for various web sites of mine and found SMF a bit difficult to work with because it seems to insist on refering to itself using the absolute URL beginning with "http://" (or "https://" if you change board's URL).

Unfortunately, if you either want to make the forum protocol independent or you want to use SSL offloading (which basically makes the web server unaware of the fact that clients use HTTPS) those self-referencing links become a problem.

Playing around with the admin settings solved nothing and the few discussions I found on the topic made me question if it was possible at all. However, I found a dead simple solution which involves just three easy steps that seem to work perfectly:

  • In "Settings.php", change $boardurl to '' (WARNING! This cannot be done using the web GUI because it will default to 'http://' and break your forum!!)
  • Update the MySQL 'settings' table and change all URLs from absolute to relative
  • Update the MySQL 'themes' table and change all URLs from absolute to relative

E.g. to fix my forum I used the following queries:
UPDATE settings SET value=REPLACE(value,'http://forums.atc.no','') WHERE value LIKE 'http://forums.atc.no%';
UPDATE themes SET value=REPLACE(value,'http://forums.atc.no','') WHERE value LIKE 'http://forums.atc.no%';


...and *poof* now my users can either keep using HTTP or they can use HTTPS which gets offloaded by my load balancing cluster. I see no reason why this should not work just fine with any other SSL gateway as well.

I really can't understand why SMF was designed with absolute URLs to begin with.

Oldiesmann

SSL handling has improved greatly in 2.1, though I don't know how well what you want to do will work as the options are pretty much http, https only for logins or force https everywhere...
Michael Eshom
Christian Metal Fans

Advertisement: