Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Ready to contribute?

Amazing! Sign our contributors' agreement and then join us on GitHub.

Update for critical security issue in PHPMailer included in release Vanilla 2.3.1

How correctly setup HTTPS?

vladuxa03vladuxa03 New
edited June 8 in Vanilla 2.3 Help

I have domain with ssl from cloudflare. I added this in config php
$Configuration['Garden']['AllowSSL'] = TRUE; $Configuration['Garden']['ForceSSL']=TRUE;
but nothing. Forum still can be loaded through HTTP.
Help please.
When i manually add https in adress, it loads, but with mixed content

Editing htaccess leads to this

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    This has nothing to do with vanilla... please talk to your host about how to use an SSL certificate.

    There is no need to force SSL if you set it up correctly. Please Google, How to set up an SSL certificate.

    Vanilla does not require to be encrypted. Mixed content means the source of the content is not encrypted. For example images that are served non encrypted, http and not https...
    Vanilla does not and can not have any effect on this because it's server side...

    Consult your host, take a tutorial as to how to properly set up an SSL certificate for your site...

  • kopnakopna Coimbra Portugal ☯

    @vladuxa03 написал:
    I have domain with ssl from cloudflare. I added this in config php
    $Configuration['Garden']['AllowSSL'] = TRUE; $Configuration['Garden']['ForceSSL']=TRUE;
    but nothing. Forum still can be loaded through HTTP.
    Help please.
    When i manually add https in adress, it loads, but with mixed content

    Editing htaccess leads to this

    maybe you can help this topic https://open.vanillaforums.com/discussion/33183/improve-htaccess-to-force-https#latest

  • x00x00 MVP
    edited June 8

    @vrijvlinder said:
    This has nothing to do with vanilla... please talk to your host about how to use an SSL certificate.

    This is just not true. Maybe sometime pause and consider how much you really know before commenting with such surety. You can be overly aggressive to newcomers sometimes, and promote shotgun debugging. You don't know everything.

    Clearly images from dashboard are being served over http not https, this has nothing to do with certs and it is reasonable to suspect if ForceSSL is not working it might have something to do with the framework or at leas the configuration. Even if he did have a problem with certs, it is unrelated tot hat issue.

    Note to @vladuxa03 mixed content error are unavoidable on a forum where uses can link to images from anywhere. Still it better to sever the majority of you content over https. But you will get this errors regardless, this is just an annoying thing that browsers do. The commitment to serving content over https on the entire web is going to take some time.

    However in this case this this is a core file, so it should not be served this way.

    grep is your friend.

  • x00x00 MVP
    edited June 8

    it is better to handle redirection to https at the server level rather than the framwork level as kopna points out, however, core files (resources) should be served under the same scheme. If they are not that is a bug, in the code that refers to it.

    The question is which bit of code is re questing defaulticon.png. It may be a plugin or theme.

    grep is your friend.

  • x00x00 MVP

    User model does refer to this file but uses the asset function which should use the correct scheme.

    However I think the crux lies in this method used by asset.

        public function urlDomain($withDomain = true) {
            static $allowSSL = null;
    
            if ($allowSSL === null) {
                $allowSSL = c('Garden.AllowSSL', null);
            }
    
            if (!$withDomain || $withDomain === '/') {
                return '';
            }
    
            if (!$allowSSL && $withDomain === 'https') {
                $withDomain = 'http';
            }
    
            if ($withDomain === true) {
                $withDomain = $this->scheme().'://';
            } elseif ($withDomain !== '//') {
                $withDomain .= '://';
            }
    
            return $withDomain.$this->hostAndPort();
        }
    

    $withDomain used by usermodel should be true. But if fo any reason it was marked as 'https' and Garden.AllowSSL was false then it would mean that teh asset would automatic use http. This seems pretty unlikely. However there can be other interference at the runtime.

    So that leaves either the case where $withDomain exactly equals true (which it should do) and there is something goign wrong with the scheme() method or the case where the scheme is left of entirely which wouldn't be a problem becuase browsers know how to handle this.

    grep is your friend.

  • x00x00 MVP
    edited June 8

    What can go wrong with the scheme method? Well it is reliant on server variables. Sometime a server can set these wrong.

    This would also explain your other issues.

    Cloudlflare may be why. If couldflare is not communicating with you site over https then your server has no idea this is what is required. You are pointing you site to cloudflare which then directly communicated with your server, so the server variable will be based on that communication. Essentially a proxy.

    Your site need to be configired to serve over https. If it can't then couldflare won't communicate that way. Sometimes even if cloudflare is using the correct schema you server will get confused, becuase it is not communicating like a browser would.

    The schema to clouflare is not the same thing as the scheme to your server. Also if then isn't secure communication then man in the middle attacks can be possible.

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    https://www.shoutmeloud.com/fix-mixed-content-error-wordpress-adding-ssl-certificate.html

    This link contains info for cloudflare ssl set up, could not post it last night due to computer and internet problems.

Sign In or Register to comment.