Advertisement:

Author Topic: Converting to https, step-by-step...  (Read 12946 times)

Offline shawnb61

  • Support Specialist
  • Full Member
  • *
  • Posts: 458
    • sbulen on GitHub
Converting to https, step-by-step...
« on: July 08, 2017, 03:01:04 AM »
Having just gone thru this the first time myself, I thought I'd share my notes & explain each step (as best I can, anyway).
 This is the stuff I wish I knew up front...  Whether you are doing a new install or trying to diagnose an issue, follow these steps in sequence to get your site up & running.

These steps are generic enough to help you whether you are running under 2.0.x or 2.1.x. 

(1.) Purchase & install your certificate.  Yes, this is the first step.  With a certificate installed, you can run either http:// or https://.  If you do NOT have a certificate installed, you can only run http://.   So... 

If you do NOT have a certificate installed, and you change all your URLs to https://, your site will (POOF!) disappear...  That's because your web server won't serve https:// content without the cert.  Install the cert first...

(2.)  Test your cert, to make sure it is installed & fully operational.  There are lots of tools online that will help you confirm it works.  One such tool:  https://www.sslshopper.com/ssl-checker.html

(3.)  Install an http to https redirect.  Without the redirect, your web server will still attempt to serve up http:// upon request.  So, for example, if you type in your forum's URL with http://, not https://, it will actually execute index.php insecurely.  Themes probably won't work though, so you will probably get that weird, blank-page, text-only version of your site.  A redirect will avoid lots of flaky behavior... 

Here is a good, multi-purpose Apache example right here, that will redirect ALL http:// traffic to https://, and further, tell search engines this is a permanent change:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Save the above as a text file named .htaccess, and place it in the root folder of your site.  If you already have an .htaccess file, copy & paste the above at the top of the file. 

There are many other .htaccess examples out there, e.g., if you only want specific folders redirected.  This may be helpful if you have multiple forums, each in separate folders, and only some are https.  If you have such complicated needs, Google is your friend... 

(4.)  If installing...  Run the installer using https://  Using https:// is pretty important, as all URL settings created by the installer are based relative to how you invoke the installer.  Invoking the installer as https:// will make sure all of your URLs internally are https:// at the outset.  If you run the installer with http://, you will have to fix this later using repair_settings.php.

(5.)  If installing 2.1...  Select the Force SSL option.

(6.)  Run repair_settings.php. **MAKE SURE YOU USE THE RIGHT ONE**  There is a different repair_settings.php for SMF 2.1 up on Github!  Using repair_settings.php, confirm the following URLs are all setup with https://, not http://:
 - $boardurl
 - Your Smileys URL
 - Your Avatars URL
 - Your Custom Avatars URL (if you have one)
 - Your Theme URL (one for each theme!!!!)
 - Your Theme/Images URL (one for each theme!!!!)

Save your settings, exit, & delete repair_settings.php.   

I run repair_settings.php just as a safety measure, just to make sure it all went as expected...  I'm paranoid & like double-checking things...

(7.) If you were running 2.1 already, go to the Admin | Maintenance | Server Settings | General and choose "Force SSL throughout the forum" at the Forum SSL Mode prompt. 

(8.) If running 2.0.14+, or 2.1, consider activating the image proxy.  You probably want to do this if your site has mixed http:// & https:// content.  This happens if your forum members share a lot of images from other websites.  If there are mixed http:// and https:// images on the same webpage, you will at least get a security warning, & you will more likely get broken links.  This is because some browsers will not serve mixed http:// & https:// content as a security feature.  SMF's image proxy feature will download http:// images locally, so SMF can turn around and serve them up https://.  No more 'mixed' content issues.  This will significantly reduce broken links and security warnings on your site.  If your forum members share lots of images, you probably want the image proxy enabled. 

NOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way. 

What do you do if you're still having issues?  Run repair_settings.php again & triple-check all your URLs... 

Hope this helps.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline shawnb61

  • Support Specialist
  • Full Member
  • *
  • Posts: 458
    • sbulen on GitHub
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline shawnb61

  • Support Specialist
  • Full Member
  • *
  • Posts: 458
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #2 on: July 08, 2017, 01:53:37 PM »
Just ran across a nifty tool that helps you confirm your redirect is working OK:
   http://www.redirect-checker.org/index.php

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline lurkalot

  • Sr. Member
  • ****
  • Posts: 943
  • Gender: Male
  • Tinyportal Support
    • guitaristguild on Facebook
    • Tinyportal on GitHub
    • @GuitaristGuild on Twitter
    • Guitarist Guild
Re: Converting to https, step-by-step...
« Reply #3 on: July 08, 2017, 06:32:25 PM »
Thanks, handy post.  ;)

Converted a couple of my sites yesterday, before I read this.  Luckily all seems to have gone well.  I will just say though some themes and mods make calls to external scripts, so you might find that even though you might see the green padlock in your browser it's still blocking some of the content.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,019
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Converting to https, step-by-step...
« Reply #4 on: July 09, 2017, 10:17:42 PM »
Some more useful links:

  • https://www.whynopadlock.com/ - Put in the URL to a page and it'll highlight things that are loading over a non-secure connection so you can correct them.
  • https://www.ssllabs.com/ssltest/ - The Qualys SSL Labs tester. It does a very complete check of your setup and will let you know what browsers may have trouble connecting, along with a nice grade on how secure your configuration is.
  • https://www.sslchecker.com/sslchecker - Another SSL checker. This one has the advantage of being able to alert you if you forgot a needed intermediate certificate, which will cause security warnings in browsers. (You can ignore a missing root, the browsers will have those.)
  • https://mozilla.github.io/server-side-tls/ssl-config-generator/ - The Mozilla SSL Configuration Generator. If you manage your server configuration manually, fill in a few details and it'll generate a recommended configuration for SSL setup. I recommend you keep the "intermediate" settings, as the "Modern" will exclude quite a few browsers and platforms still in use.

One thing to keep in mind with the image proxy is that it will increase your bandwidth as it has to fetch the insecure image and then provide it securely from your site. It shouldn't be a lot of extra traffic, but keep it in mind if you enable it.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline shawnb61

  • Support Specialist
  • Full Member
  • *
  • Posts: 458
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #5 on: July 22, 2017, 03:12:02 AM »
Another utility while we're at it:
https://github.com/sbulen/sjrbTools/blob/master/SMF_SSL_Diag.php

This is an inquiry-only utility that performs simple checks for the existence of a cert, the existence of a redirect, and also dumps the various SMF variables associated with SSL.  Works for 2.0 & 2.1.  To use, just plunk it in your forum home directory (where settings.php is) and execute it. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #6 on: July 27, 2017, 06:54:34 AM »
Thanks for this little guide.

A few months ago my host switched all his servers to https, but didn't tell me to do anything except change the IP address.  A few weeks ago I moved to a new host.  And it was only inspecting my site after the move, when I realized I'm now in a position of having mixed http and https contents.  Even though I've had my SMF with Tiny Portal for 4 years, I'm still kind of a newbie at running a website.

For #5, I'm not installing 2.1 right now.  But I guess I will eventually.  Do I need to remember to check Force SSL option?

For #8, I thought the purpose for running the repair settings thing (in #6) is to change all the http instances to https.  And if it is, why would I still have mixed http/https images?  My site provides support for a graphics program, so I certainly will have mixed images.  But again, I thought repair settings was going to fix that.

After #8 it says
Quote
NOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way.
I'm not sure what that means.  What upgrader?

Thanks!
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline shawnb61

  • Support Specialist
  • Full Member
  • *
  • Posts: 458
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #7 on: July 27, 2017, 09:48:39 AM »
Re #5:   Short answer: Yes.  You need to set this new 2.1 setting that didn't exist in 2.0. 

Re #8:  Repair_settings.php helps you address SMF settings.  It does NOT, however, update the contents inside your posts.  Users can enter URLs, e.g., for images, inside posts.  Post content is probably the cause of mixed content warnings/issues.

This is why SMF added the image proxy - to address mixed content issues caused by links to images within posts.

Re the upgrader:  This note just points out that the upgrader does not modify any existing SSL-related settings. 

2.1 is still in beta, and there are some enhancement requests in the queue to make it a little smarter.  Upgrader behavior may change.


The main thing to know at the moment is that - no matter what happens - SMF makes it very easy to change / correct settings using the Admin control panel &/or repair_settings.php to fully support your desired SSL configuration.  It's safe.  The tools exist to correct issues & settings. 
« Last Edit: July 27, 2017, 10:40:25 AM by shawnb61 »
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline aegersz

  • Sophist Member
  • *****
  • Posts: 1,109
  • Gender: Male
  • "mods" junkie
    • dopetalk
Re: Converting to https, step-by-step...
« Reply #8 on: July 27, 2017, 05:12:10 PM »
this may be of interest. I had to make this change to repair_settings.php
SMF 2.0: 135+ mods installed (the full list can be seen at http://forum.drugs-and-users.org/index.php/topic,3301)

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #9 on: August 01, 2017, 04:23:47 AM »
Quote
Re #5:   Short answer: Yes.  You need to set this new 2.1 setting that didn't exist in 2.0.

Ok, I'll try and remember.

While I've been trying to digest all this info, I keep thinking I should do repair settings first, and set the redirect 2nd.  Is there some reason why you suggest making the redirect first?

Will I need to make the change suggested by aegersz, before I use repair settings?
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline aegersz

  • Sophist Member
  • *****
  • Posts: 1,109
  • Gender: Male
  • "mods" junkie
    • dopetalk
Re: Converting to https, step-by-step...
« Reply #10 on: August 01, 2017, 05:14:10 AM »
i think i needed to make that change as i might have not setup my .htaccess for https yet.
SMF 2.0: 135+ mods installed (the full list can be seen at http://forum.drugs-and-users.org/index.php/topic,3301)

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #11 on: August 01, 2017, 08:14:00 AM »
Oohh, and another question. 

I have 2 sites, 2 TLDs.  But the 2nd one lives as a separate page in the file structure on the server.  But it looks like a separate site, which I think is accomplished with a redirect.

Do I need to upload repair_settings.php separately into that directory, and use the same process separately, for that site?

And just to repeat my last question.  Does it really matter whether the htaccess redirect is done before or after using repair_settings?

Thanks again :)
« Last Edit: August 01, 2017, 08:58:33 AM by brynn »
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline shawnb61

  • Support Specialist
  • Full Member
  • *
  • Posts: 458
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #12 on: August 01, 2017, 11:16:01 AM »
Do I need to upload repair_settings.php separately into that directory, and use the same process separately, for that site?

Yes, you run it once per site.  Yes, you put it into each forum's root directory.  From the 2.0 repair_setting.php link provided above (https://wiki.simplemachines.org/smf/Repair_settings.php):

"Upload the file repair_settings.php with an FTP client to the root directory of your forum (where Settings.php can be found)."

Does it really matter whether the htaccess redirect is done before or after using repair_settings?

If you do it all in one sitting, not a lot of difference.  But I put the redirect early in the process for two reasons:
(1) Remember, people can still type in http:// in their URLs.  Without the redirect, the content will still be served up http://.  Also remember that lots of posts may have links to other posts, that are still http://.  A good redirect will clean up ALL of these loose ends. 

(2) Most of the SMF utilities, the Installer, the Upgrader & even repair_settings.php, operate from how they are invoked.  If you invoke repair_settings.php as http://, its recommendations will be http://.   If you invoke it with https://,  its recommendations will be https://.

The sooner your redirect is in operation, the sooner ALL updates will use https://.  Even if you forget to type in https://.

If you have a redirect active, or, if you invoke repair_setting.php via https://, I don't think you need aegersz's code fix.  Everything will be https:// already. 
« Last Edit: August 01, 2017, 11:28:45 AM by shawnb61 »
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #13 on: August 01, 2017, 12:04:00 PM »
Oh, thank you SO much!
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #14 on: August 03, 2017, 01:32:50 PM »
I've noticed some images loading slowly, since I've made these changes.  Specifically, images in signature take several more seconds to load, after the rest of the page loads.

Could this be related to the image proxy?  Is there a way to fix it?

Thanks :)
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #15 on: August 03, 2017, 03:33:55 PM »
Changing http to https for the profile image solved it!

Now a different issue.  I have 2 sites using SMF forum/portals.  One of them doesn't have the image proxy option.  Or at least, it's not where the option for the other forum is, and I can't seem to find it.

They do use different themes, but it doesn't seem like a theme issue (or else the options would be in the theme options.

Or maybe the image proxy is provided by a mod that I don't have installed in one of them?
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 47,866
Re: Converting to https, step-by-step...
« Reply #16 on: August 03, 2017, 03:46:02 PM »
do you have 2.0.14 installed on both of them?

Offline brynn

  • Jr. Member
  • **
  • Posts: 346
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #17 on: August 04, 2017, 06:05:16 PM »
Ah, thanks Illori.  I just realized that, and was coming to post.  I'll upgrade asap.
Inkscape Community  (SMF with Tiny Portal)

Inkscape for Cutting Design  (originally a phpBB forum, converted to SMF, and using Simple Portal)

Offline Matthew-me

  • Semi-Newbie
  • *
  • Posts: 78
  • Gender: Male
  • I know what I know and I know what I don't know.
Re: Converting to https, step-by-step...
« Reply #18 on: August 20, 2017, 10:23:27 AM »
Thank you for documenting this shawnb61. Used it to do a clean install on moving host. All worked. I didn't run repair settings .. just updated Avatar, Attachment, Theme and Smileys URL's manually after importing database. I think that was all.

Kudos. Worked like a dream.
How will you make the world a better place today?

Offline aegersz

  • Sophist Member
  • *****
  • Posts: 1,109
  • Gender: Male
  • "mods" junkie
    • dopetalk
Re: Converting to https, step-by-step...
« Reply #19 on: August 22, 2017, 04:36:59 PM »
Ah, thanks Illori.  I just realized that, and was coming to post.  I'll upgrade asap.

I will upgrade too as prior to 0.14, any linked images that are not https will disable SSL for that particular page - is that correct ?
SMF 2.0: 135+ mods installed (the full list can be seen at http://forum.drugs-and-users.org/index.php/topic,3301)