Converting to https, step-by-step...

Started by shawnb61, July 08, 2017, 03:01:04 AM

Previous topic - Next topic

shawnb61

Having just gone thru this the first time myself, I thought I'd share my notes & explain each step (as best I can, anyway).
This is the stuff I wish I knew up front...  Whether you are doing a new install or trying to diagnose an issue, follow these steps in sequence to get your site up & running.

These steps are generic enough to help you whether you are running under 2.0.x or 2.1.x. 

(1.) Purchase & install your certificate.  Yes, this is the first step.  With a certificate installed, you can run either http:// or https://.  If you do NOT have a certificate installed, you can only run http://.   So... 

If you do NOT have a certificate installed, and you change all your URLs to https://, your site will (POOF!) disappear...  That's because your web server won't serve https:// content without the cert.  Install the cert first...

(2.)  Test your cert, to make sure it is installed & fully operational.  There are lots of tools online that will help you confirm it works.  One such tool:  https://www.sslshopper.com/ssl-checker.html

(3.)  Install an http to https redirect.  Without the redirect, your web server will still attempt to serve up http:// upon request.  So, for example, if you type in your forum's URL with http://, not https://, it will actually execute index.php insecurely.  Themes probably won't work though, so you will probably get that weird, blank-page, text-only version of your site.  A redirect will avoid lots of flaky behavior... 

Here is a good, multi-purpose Apache example right here, that will redirect ALL http:// traffic to https://, and further, tell search engines this is a permanent change:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


Save the above as a text file named .htaccess, and place it in the root folder of your site.  If you already have an .htaccess file, copy & paste the above at the top of the file. 

There are many other .htaccess examples out there, e.g., if you only want specific folders redirected.  This may be helpful if you have multiple forums, each in separate folders, and only some are https.  If you have such complicated needs, Google is your friend... 

(4.)  If installing...  Run the installer using https://  Using https:// is pretty important, as all URL settings created by the installer are based relative to how you invoke the installer.  Invoking the installer as https:// will make sure all of your URLs internally are https:// at the outset.  If you run the installer with http://, you will have to fix this later using repair_settings.php.

(5.)  If installing 2.1...  Select the Force SSL option.

(6.)  Run repair_settings.php. Use repair_settings.php, to confirm the following URLs are all setup with https://, not http://:
- $boardurl
- Your Smileys URL
- Your Avatars URL
- Your Custom Avatars URL (if you have one)
- Your Theme URL (one for each theme!!!!)
- Your Theme/Images URL (one for each theme!!!!)

Save your settings, exit, & delete repair_settings.php.   

I run repair_settings.php just as a safety measure, just to make sure it all went as expected...  I'm paranoid & like double-checking things...

(7.) If you were running 2.1 already, go to the Admin | Maintenance | Server Settings | General and choose "Force SSL throughout the forum" at the Forum SSL Mode prompt. 

(8.) If running 2.0.14+, or 2.1, consider activating the image proxy.  You probably want to do this if your site has mixed http:// & https:// content.  This happens if your forum members share a lot of images from other websites.  If there are mixed http:// and https:// images on the same webpage, you will at least get a security warning, & you will more likely get broken links.  This is because some browsers will not serve mixed http:// & https:// content as a security feature.  SMF's image proxy feature will download http:// images locally, so SMF can turn around and serve them up https://.  No more 'mixed' content issues.  This will significantly reduce broken links and security warnings on your site.  If your forum members share lots of images, you probably want the image proxy enabled. 

NOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way. 

What do you do if you're still having issues?  Run repair_settings.php again & triple-check all your URLs... 

Hope this helps.

EDIT 12/17/20: point to proper repair_settings
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

shawnb61

#1
Repair_settings may be found here:

https://download.simplemachines.org/index.php?tools

EDIT 12/17/20: point to proper repair_settings
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

shawnb61

Just ran across a nifty tool that helps you confirm your redirect is working OK:
   http://www.redirect-checker.org/index.php

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

lurkalot

Thanks, handy post.  ;)

Converted a couple of my sites yesterday, before I read this.  Luckily all seems to have gone well.  I will just say though some themes and mods make calls to external scripts, so you might find that even though you might see the green padlock in your browser it's still blocking some of the content.

青山 素子

Some more useful links:


  • https://www.whynopadlock.com/ - Put in the URL to a page and it'll highlight things that are loading over a non-secure connection so you can correct them.
  • https://www.ssllabs.com/ssltest/ - The Qualys SSL Labs tester. It does a very complete check of your setup and will let you know what browsers may have trouble connecting, along with a nice grade on how secure your configuration is.
  • https://www.sslchecker.com/sslchecker - Another SSL checker. This one has the advantage of being able to alert you if you forgot a needed intermediate certificate, which will cause security warnings in browsers. (You can ignore a missing root, the browsers will have those.)
  • https://mozilla.github.io/server-side-tls/ssl-config-generator/ - The Mozilla SSL Configuration Generator. If you manage your server configuration manually, fill in a few details and it'll generate a recommended configuration for SSL setup. I recommend you keep the "intermediate" settings, as the "Modern" will exclude quite a few browsers and platforms still in use.

One thing to keep in mind with the image proxy is that it will increase your bandwidth as it has to fetch the insecure image and then provide it securely from your site. It shouldn't be a lot of extra traffic, but keep it in mind if you enable it.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


shawnb61

Another utility while we're at it:
https://github.com/sbulen/sjrbTools/blob/master/SMF_SSL_Diag.php

This is an inquiry-only utility that performs simple checks for the existence of a cert, the existence of a redirect, and also dumps the various SMF variables associated with SSL.  Works for 2.0 & 2.1.  To use, just plunk it in your forum home directory (where settings.php is) and execute it. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

brynn

Thanks for this little guide.

A few months ago my host switched all his servers to https, but didn't tell me to do anything except change the IP address.  A few weeks ago I moved to a new host.  And it was only inspecting my site after the move, when I realized I'm now in a position of having mixed http and https contents.  Even though I've had my SMF with Tiny Portal for 4 years, I'm still kind of a newbie at running a website.

For #5, I'm not installing 2.1 right now.  But I guess I will eventually.  Do I need to remember to check Force SSL option?

For #8, I thought the purpose for running the repair settings thing (in #6) is to change all the http instances to https.  And if it is, why would I still have mixed http/https images?  My site provides support for a graphics program, so I certainly will have mixed images.  But again, I thought repair settings was going to fix that.

After #8 it says
QuoteNOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way.
I'm not sure what that means.  What upgrader?

Thanks!

shawnb61

#7
Re #5:   Short answer: Yes.  You need to set this new 2.1 setting that didn't exist in 2.0. 

Re #8:  Repair_settings.php helps you address SMF settings.  It does NOT, however, update the contents inside your posts.  Users can enter URLs, e.g., for images, inside posts.  Post content is probably the cause of mixed content warnings/issues.

This is why SMF added the image proxy - to address mixed content issues caused by links to images within posts.

Re the upgrader:  This note just points out that the upgrader does not modify any existing SSL-related settings. 

2.1 is still in beta, and there are some enhancement requests in the queue to make it a little smarter.  Upgrader behavior may change.


The main thing to know at the moment is that - no matter what happens - SMF makes it very easy to change / correct settings using the Admin control panel &/or repair_settings.php to fully support your desired SSL configuration.  It's safe.  The tools exist to correct issues & settings. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

aegersz

this may be of interest. I had to make this change to repair_settings.php
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

brynn

QuoteRe #5:   Short answer: Yes.  You need to set this new 2.1 setting that didn't exist in 2.0.

Ok, I'll try and remember.

While I've been trying to digest all this info, I keep thinking I should do repair settings first, and set the redirect 2nd.  Is there some reason why you suggest making the redirect first?

Will I need to make the change suggested by aegersz, before I use repair settings?

aegersz

i think i needed to make that change as i might have not setup my .htaccess for https yet.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

brynn

#11
Oohh, and another question. 

I have 2 sites, 2 TLDs.  But the 2nd one lives as a separate page in the file structure on the server.  But it looks like a separate site, which I think is accomplished with a redirect.

Do I need to upload repair_settings.php separately into that directory, and use the same process separately, for that site?

And just to repeat my last question.  Does it really matter whether the htaccess redirect is done before or after using repair_settings?

Thanks again :)

shawnb61

#12
Quote from: brynn on August 01, 2017, 08:14:00 AM
Do I need to upload repair_settings.php separately into that directory, and use the same process separately, for that site?

Yes, you run it once per site.  Yes, you put it into each forum's root directory.  From the 2.0 repair_setting.php link provided above (https://wiki.simplemachines.org/smf/Repair_settings.php):

"Upload the file repair_settings.php with an FTP client to the root directory of your forum (where Settings.php can be found)."

Quote from: brynn on August 01, 2017, 08:14:00 AM
Does it really matter whether the htaccess redirect is done before or after using repair_settings?

If you do it all in one sitting, not a lot of difference.  But I put the redirect early in the process for two reasons:
(1) Remember, people can still type in http:// in their URLs.  Without the redirect, the content will still be served up http://.  Also remember that lots of posts may have links to other posts, that are still http://.  A good redirect will clean up ALL of these loose ends. 

(2) Most of the SMF utilities, the Installer, the Upgrader & even repair_settings.php, operate from how they are invoked.  If you invoke repair_settings.php as http://, its recommendations will be http://.   If you invoke it with https://,  its recommendations will be https://.

The sooner your redirect is in operation, the sooner ALL updates will use https://.  Even if you forget to type in https://.

If you have a redirect active, or, if you invoke repair_setting.php via https://, I don't think you need aegersz's code fix.  Everything will be https:// already. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

brynn


brynn

I've noticed some images loading slowly, since I've made these changes.  Specifically, images in signature take several more seconds to load, after the rest of the page loads.

Could this be related to the image proxy?  Is there a way to fix it?

Thanks :)

brynn

Changing http to https for the profile image solved it!

Now a different issue.  I have 2 sites using SMF forum/portals.  One of them doesn't have the image proxy option.  Or at least, it's not where the option for the other forum is, and I can't seem to find it.

They do use different themes, but it doesn't seem like a theme issue (or else the options would be in the theme options.

Or maybe the image proxy is provided by a mod that I don't have installed in one of them?

Illori

do you have 2.0.14 installed on both of them?

brynn

Ah, thanks Illori.  I just realized that, and was coming to post.  I'll upgrade asap.

Matthew-me

Thank you for documenting this shawnb61. Used it to do a clean install on moving host. All worked. I didn't run repair settings .. just updated Avatar, Attachment, Theme and Smileys URL's manually after importing database. I think that was all.

Kudos. Worked like a dream.
How will you make the world a better place today?

aegersz

Quote from: brynn on August 04, 2017, 06:05:16 PM
Ah, thanks Illori.  I just realized that, and was coming to post.  I'll upgrade asap.

I will upgrade too as prior to 0.14, any linked images that are not https will disable SSL for that particular page - is that correct ?
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Advertisement: