Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla source code refers to http as default

I use https to my vanilla forum and i am not a professional user so i dont really know that much. I contacted my webserver provider since i read a comment about https. In their answer they told me that many links in the source code is http and that has got me to think. Could vanilla be set to https if possible and if not then http instead of in the source code everything is ran by http?

I dont understand much of this and hope some of you in here maby can tell me details regarding this problem?



  • Generally speaking vanilla doesn't hard code the scheme or url. however with all the pluigns a whatnot, not ever

    It would not be a good idea to make hard link to any scheme, let alone https. It will determine that from the request.

    What can be issue is external links. On a forum people can post any content. You are going to get mixed content errors. User don't know about https and also often there isn't an url they can use.

    You just have to accept it, it is true of any site that accept public content.

    grep is your friend.

  • LincLinc Detroit Admin

    To force SSL (only allow https), add the config setting Garden.ForceSSL = TRUE. To force SSL off and only allow http, set Garden.AllowSSL = FALSE.

  • How should it be written?
    $Configuration['Garden']['ForceSSL'] = 'TRUE';

    I dont have a line with that line.. Also in the config.php file it says i run 2.1.6, but i have upgradede to 2.1.7 and then 2.1.8 should i be worried?

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited January 2015

    change the version in the config.php to represent the real version you have installed.

    $Configuration['Garden']['ForceSSL'] = TRUE;

    $Configuration['Garden']['AllowSSL'] = TRUE;

    without quotes

  • LincLinc Detroit Admin

    Config version is irrelevant.

  • Okay, well not to offend you, but does this really do the trick the whole way or? For some reason i would trust a button in the dashboard more then 2 lines of code.. Just saying im a newb and wondering why this code isnt in the configfile as default?

  • @Blueeyez said:
    Okay, well not to offend you, but does this really do the trick the whole way or? For some reason i would trust a button in the dashboard more then 2 lines of code.. Just saying im a newb and wondering why this code isnt in the configfile as default?

    Because it is not really the job of the framework to manage your server. Kind of tail wagging the dog. These rules ideally should ideally be in server configuration, so it doesn't have to use the framework to redirect.

    Server configurations are best managed without interfaces too. There are commercial interfaces which help you with server rules, but I would not really recommend most of them.

    In short nothing is without learning curve.

    grep is your friend.

  • why are you using SSL anyway? Have you thought about that?

    Some time site uses https simply becuase to the perception of https rather than actually needing for the whole site. I'm not knocking this strategy. It can be for sound commercial reason but running a sit like come with with a learning curve.

    it used to be that sites would only use SSL for vulnerable part like payment sections.

    Now it is more common to get whole sites that way, but they have to accept some pitfalls.

    However with a forum, you will always have mixed content unless you ban all external linkage from users.

    grep is your friend.

  • LincLinc Detroit Admin

    @Blueeyez said:
    i would trust a button in the dashboard more then 2 lines of code..

    Which is kinda funny, since the Dashboard buttons mostly just write a line of code like that.

    AllowSSL is already enabled by default so setting it to TRUE is redundant. My instructions were precise and either scenario only involves 1 line.

  • AnonymooseAnonymoose ✭✭
    edited January 2015

    I think the reason some people started using Vanilla with SSL was because of the Marketplace plugin which has options to process payments via ssl. It used to return the buyer back to the forum in SSL mode, which is when the mixed content error started showing up.

  • AdrianAdrian Wandering Spirit Montreal MVP
    edited January 2015

    not to derail the topic, but there is a growing number of people who use SSL as an SEO benefit, and especially since Google added it as ranking factor this summer:

  • LincLinc Detroit Admin

    As a general security measure, it is advisable to run any web software using SSL if you have that option.

  • It would indeed be a good idea, if browser would relax those mixed content errors, like many have already. The secure web might happen. Obviously they will still block critical insecure content.

    Then if you can use TLS.

    Open SSL had exploits, and SSL itself is no longer considered good enough. Especially SSLv3 which many services have withdraw the option to due to vulnerability.

    grep is your friend.

  • @Linc: Sorry, its not to offend you, but im new at security at this level and i really have minimal/zero knowledge.. well last few days i have got more..
    I have done as you advised. You say allowssl already is true and that it is redudant to have that line, but would you advise it still?
    I already have a paid SSL certificate, i have disabled http and set http to https..

  • LincLinc Detroit Admin

    It does not matter at all whether you add the AllowSSL line or not. It makes zero difference. It's like flicking up on a lightswitch that is already on.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    The only time in my experience ,that was needed to use ssl and vanilla for many people was to be able to embed their forum in facebook. And every instance of http had to be changed in the embed to https to work even if force ssl true.

    You can make chrome display insecure content in the settings. Not sure about firefox, safari displays the content regardless. On the mac.

    AllowSSL is on by default. ForceSSL is supposed to force it but it does not work on embed unless you change some of the code.

    It should work fine on the stand alone forum. Just make sure that all of the images and files for the theme are coming from the forum. Don't use external images or files for the theme.

    Get people to upload the images instead of adding a link. The source of the content must be served via ssl. Not all image or file hosting services do it.

  • BlueeyezBlueeyez New
    edited January 2015

    After i have disabled http im not able to sign in. When i click on the login it seems like it uses http even tho i have set it to force ssl..
    If i then enter the page i am signed in. Any ideas?

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
  • the site is:
    Please let me know if you get an error if you create an account (the page is on english yet since danish is with bugs and missing translations still)

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited January 2015

    Yes don't worry I never read the content I only look at the code or urls to determine what is going on.

    Your SSL is working. I used chrome and Safari to see and it IS serving the pages in SSL.

    The reason you get the shield about insecure content is only from the browser. You can set it to allow it.

    This url in the theme could be the problem. Look in the foot of the tpl to see if you can find this

    and replace it with this

Sign In or Register to comment.