Advertisement:

Author Topic: Converting to https, step-by-step...  (Read 712 times)

Offline shawnb61

  • Charter Member
  • Jr. Member
  • *
  • Posts: 274
    • sbulen on GitHub
Converting to https, step-by-step...
« on: July 08, 2017, 03:01:04 AM »
Having just gone thru this the first time myself, I thought I'd share my notes & explain each step (as best I can, anyway).
 This is the stuff I wish I knew up front...  Whether you are doing a new install or trying to diagnose an issue, follow these steps in sequence to get your site up & running.

These steps are generic enough to help you whether you are running under 2.0.x or 2.1.x. 

(1.) Purchase & install your certificate.  Yes, this is the first step.  With a certificate installed, you can run either http:// or https://.  If you do NOT have a certificate installed, you can only run http://.   So... 

If you do NOT have a certificate installed, and you change all your URLs to https://, your site will (POOF!) disappear...  That's because your web server won't serve https:// content without the cert.  Install the cert first...

(2.)  Test your cert, to make sure it is installed & fully operational.  There are lots of tools online that will help you confirm it works.  One such tool:  https://www.sslshopper.com/ssl-checker.html

(3.)  Install an http to https redirect.  Without the redirect, your web server will still attempt to serve up http:// upon request.  So, for example, if you type in your forum's URL with http://, not https://, it will actually execute index.php insecurely.  Themes probably won't work though, so you will probably get that weird, blank-page, text-only version of your site.  A redirect will avoid lots of flaky behavior... 

Here is a good, multi-purpose Apache example right here, that will redirect ALL http:// traffic to https://, and further, tell search engines this is a permanent change:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Save the above as a text file named .htaccess, and place it in the root folder of your site.  If you already have an .htaccess file, copy & paste the above at the top of the file. 

There are many other .htaccess examples out there, e.g., if you only want specific folders redirected.  This may be helpful if you have multiple forums, each in separate folders, and only some are https.  If you have such complicated needs, Google is your friend... 

(4.)  If installing...  Run the installer using https://  Using https:// is pretty important, as all URL settings created by the installer are based relative to how you invoke the installer.  Invoking the installer as https:// will make sure all of your URLs internally are https:// at the outset.  If you run the installer with http://, you will have to fix this later using repair_settings.php.

(5.)  If installing 2.1...  Select the Force SSL option.

(6.)  Run repair_settings.php. **MAKE SURE YOU USE THE RIGHT ONE**  There is a different repair_settings.php for SMF 2.1 up on Github!  Using repair_settings.php, confirm the following URLs are all setup with https://, not http://:
 - $boardurl
 - Your Smileys URL
 - Your Avatars URL
 - Your Custom Avatars URL (if you have one)
 - Your Theme URL (one for each theme!!!!)
 - Your Theme/Images URL (one for each theme!!!!)

Save your settings, exit, & delete repair_settings.php.   

I run repair_settings.php just as a safety measure, just to make sure it all went as expected...  I'm paranoid & like double-checking things...

(7.) If you were running 2.1 already, go to the Admin | Maintenance | Server Settings | General and choose "Force SSL throughout the forum" at the Forum SSL Mode prompt. 

(8.) If running 2.0.14+, or 2.1, consider activating the image proxy.  You probably want to do this if your site has mixed http:// & https:// content.  This happens if your forum members share a lot of images from other websites.  If there are mixed http:// and https:// images on the same webpage, you will at least get a security warning, & you will more likely get broken links.  This is because some browsers will not serve mixed http:// & https:// content as a security feature.  SMF's image proxy feature will download http:// images locally, so SMF can turn around and serve them up https://.  No more 'mixed' content issues.  This will significantly reduce broken links and security warnings on your site.  If your forum members share lots of images, you probably want the image proxy enabled. 

NOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way. 

What do you do if you're still having issues?  Run repair_settings.php again & triple-check all your URLs... 

Hope this helps.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline shawnb61

  • Charter Member
  • Jr. Member
  • *
  • Posts: 274
    • sbulen on GitHub
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline shawnb61

  • Charter Member
  • Jr. Member
  • *
  • Posts: 274
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #2 on: July 08, 2017, 01:53:37 PM »
Just ran across a nifty tool that helps you confirm your redirect is working OK:
   http://www.redirect-checker.org/index.php

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline lurkalot

  • Sr. Member
  • ****
  • Posts: 909
  • Gender: Male
  • Tinyportal Support
    • guitaristguild on Facebook
    • Tinyportal on GitHub
    • @GuitaristGuild on Twitter
    • Guitarist Guild
Re: Converting to https, step-by-step...
« Reply #3 on: July 08, 2017, 06:32:25 PM »
Thanks, handy post.  ;)

Converted a couple of my sites yesterday, before I read this.  Luckily all seems to have gone well.  I will just say though some themes and mods make calls to external scripts, so you might find that even though you might see the green padlock in your browser it's still blocking some of the content.

Tinyportal.net Official Support Site For TinyPortal.
Camera Craniums Running SMF 2.0.13 / Tinyportal 1.2
Guitarist Guild Running SMF 2.0.14 / Tinyportal 1.2R Beta

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,006
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Converting to https, step-by-step...
« Reply #4 on: July 09, 2017, 10:17:42 PM »
Some more useful links:

  • https://www.whynopadlock.com/ - Put in the URL to a page and it'll highlight things that are loading over a non-secure connection so you can correct them.
  • https://www.ssllabs.com/ssltest/ - The Qualys SSL Labs tester. It does a very complete check of your setup and will let you know what browsers may have trouble connecting, along with a nice grade on how secure your configuration is.
  • https://www.sslchecker.com/sslchecker - Another SSL checker. This one has the advantage of being able to alert you if you forgot a needed intermediate certificate, which will cause security warnings in browsers. (You can ignore a missing root, the browsers will have those.)
  • https://mozilla.github.io/server-side-tls/ssl-config-generator/ - The Mozilla SSL Configuration Generator. If you manage your server configuration manually, fill in a few details and it'll generate a recommended configuration for SSL setup. I recommend you keep the "intermediate" settings, as the "Modern" will exclude quite a few browsers and platforms still in use.

One thing to keep in mind with the image proxy is that it will increase your bandwidth as it has to fetch the insecure image and then provide it securely from your site. It shouldn't be a lot of extra traffic, but keep it in mind if you enable it.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline shawnb61

  • Charter Member
  • Jr. Member
  • *
  • Posts: 274
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #5 on: July 22, 2017, 03:12:02 AM »
Another utility while we're at it:
https://github.com/sbulen/sjrbTools/blob/master/SMF_SSL_Diag.php

This is an inquiry-only utility that performs simple checks for the existence of a cert, the existence of a redirect, and also dumps the various SMF variables associated with SSL.  Works for 2.0 & 2.1.  To use, just plunk it in your forum home directory (where settings.php is) and execute it. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline brynn

  • Jr. Member
  • **
  • Posts: 284
  • Gender: Female
    • Inkscape Community
Re: Converting to https, step-by-step...
« Reply #6 on: Yesterday at 06:54:34 AM »
Thanks for this little guide.

A few months ago my host switched all his servers to https, but didn't tell me to do anything except change the IP address.  A few weeks ago I moved to a new host.  And it was only inspecting my site after the move, when I realized I'm now in a position of having mixed http and https contents.  Even though I've had my SMF with Tiny Portal for 4 years, I'm still kind of a newbie at running a website.

For #5, I'm not installing 2.1 right now.  But I guess I will eventually.  Do I need to remember to check Force SSL option?

For #8, I thought the purpose for running the repair settings thing (in #6) is to change all the http instances to https.  And if it is, why would I still have mixed http/https images?  My site provides support for a graphics program, so I certainly will have mixed images.  But again, I thought repair settings was going to fix that.

After #8 it says
Quote
NOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way.
I'm not sure what that means.  What upgrader?

Thanks!

Offline shawnb61

  • Charter Member
  • Jr. Member
  • *
  • Posts: 274
    • sbulen on GitHub
Re: Converting to https, step-by-step...
« Reply #7 on: Yesterday at 09:48:39 AM »
Re #5:   Short answer: Yes.  You need to set this new 2.1 setting that didn't exist in 2.0. 

Re #8:  Repair_settings.php helps you address SMF settings.  It does NOT, however, update the contents inside your posts.  Users can enter URLs, e.g., for images, inside posts.  Post content is probably the cause of mixed content warnings/issues.

This is why SMF added the image proxy - to address mixed content issues caused by links to images within posts.

Re the upgrader:  This note just points out that the upgrader does not modify any existing SSL-related settings. 

2.1 is still in beta, and there are some enhancement requests in the queue to make it a little smarter.  Upgrader behavior may change.


The main thing to know at the moment is that - no matter what happens - SMF makes it very easy to change / correct settings using the Admin control panel &/or repair_settings.php to fully support your desired SSL configuration.  It's safe.  The tools exist to correct issues & settings. 
« Last Edit: Yesterday at 10:40:25 AM by shawnb61 »
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline aegersz

  • Sr. Member
  • ****
  • Posts: 896
  • Gender: Male
    • dopetalk
Re: Converting to https, step-by-step...
« Reply #8 on: Yesterday at 05:12:10 PM »
this may be of interest. I had to make this change to repair_settings.php
"mods" junkie (SMF 2.0) with 130 on (the full List can be seen at http://forum.drugs-and-users.org/index.php/topic,3301)