Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla2 on https://. Insecure content in page.

Hello all.

I discover vanilla recently. And we maybe project to use it as a community forum.
I'll test it for the moment.

Install was ok. Nice SSO plugins and we'll test many more !

But I try to put it on https for my user security.
In Chrome, I have the error 'insecure content in this page ...' Well known error due to content serve in http on the page. (Google it)
In my home page, it's for example my logo. Load from http://.../uploads/mylogo.png

What is the best way to enable ssl properly??

Thank's for your answer.

Lucas

More info :
I use a proxy (Nginx) who serve the SSL certificate and negociation then tell the request to apache who load vanilla from php AND static files. But no matters here I think. Juste because the vanilla is in a OpenVZ container.

Editing Vanilla code could be a solution?? IE editing all loading things in http. Wahou...

My vanilla is self hosted, for sure.

Comments

  • 422422 Developer MVP

    if you use external library such as jquery, it will trigger the https warning, for unsecure content. Content served on https protocol must be same domain, at a guess this is your issue

    There was an error rendering this rich post.

  • x00x00 MVP
    edited March 2013

    You can set Log explicitly with

    $Configuration['Garden']['Logo'] = 'https://.../uploads/mylogo.png';

    A different question but you can force SSL with the ForceSSL function. You could probably do it easier in your server rules however.

    It is very difficult to prevent mixed content entirely whatever you do. I mean you have to ensure even your external resources pan out. In some case that external resource may not have a secure version, even if it does it does not always follow a logical location for instance it could be https://secure.xyz.com rather than just a question of changing the scheme to https.

    There has been debate as to how helpful they error messages really are. I know that safari is the only browser that don't react over zealously.

    If you are trying of an overall secure forum, but don't want these messages, forget about it. Think about it rationally how are you going to police every link, or resource that anybody posts? They could be posting rich content, that itself loads other resources. You might check every CA each time, but what happens in two month or a year when it expires are you going to remember to remove it?

    The reality is don't use a resource you don't trust the origin, don't allow user contributed content to be carte-blanche. This is the really security. As long as that is followed, then you should be fine.

    Personally I only use SSL or TLS for http where it is needed, becuase it is an extra overhead, if it is is not warranted don't use it. This trend of site wide SSL over http is a silly one for the most part.

    grep is your friend.

  • @422.
    I don't think I use other third library.
    I just have a Basic forum install (with open/ID and google connect addons, like I said)

    @x00
    Can you explain one more time?
    -> Force the logo in https -> Ok could solve the problem for home page. But not a nice solution

    -> You talking about a force SSLfunction ?? Where ? In vanilla dashbord? in vanilla config file?

    -> You said I can do that with server Rules ? How? with htaccess?
    Like I said the apache is only on port 80. A nginx listening web on 443 do the SSL et tell request to apache on 80.

    -> According the end of your message. I think it's stupid too. Some images could be in http, and my site or users' passwords are well secure by https.
    But like you reckon, it's just because the warning message for users( I don't have it with firefox neither)

    In another way, today hardware perfs allows us to do full SSL/TLS for http. And I think it's NOT a option to do password handshake, deliver mail and personnal messages with http.

    Thank's to your consideration

    Still schearching a way to embedded https on vanilla.

  • I was merely talking about doing a 301 redirect.

    Any server rules, though you don't have to use apache at all, vanilla runs fine on nginx.

    Embedded is a question of using and embed script where the scheme is set to https

    grep is your friend.

  • In fact, I use Proxmox.( A virtualization software (light)).
    So I must use 2 web server.
    Nginx is on the host (as a proxy /and ssl) then the request go to the guest/the container to apache. (Apache could be a second Nginx)

    So on the first web server all request on http://forum.com/myrequest are rewrite on https://forum/myrequest.
    Then he do SSL session and tell to virtual container on 10.0.0.5:80.

    I don't how the logo (in the example) is load in http.
    Maybe apache load http on himself and send to client with bypassing the Nginx proxy. WIred thing here.

    And yes, embedded is not currently a good word.

    I search more a way to change all things loaded and links to https://

  • In fact, I use Proxmox.( A virtualization software (light)).
    So I must use 2 web server.
    Nginx is on the host (as a proxy /and ssl) then the request go to the guest/the container to apache. (Apache could be a second Nginx)

    So on the first web server all request on http://forum.com/myrequest are rewrite on https://forum/myrequest.
    Then he do SSL session and tell to virtual container on 10.0.0.5:80.

    I don't how the logo (in the example) is load in http.
    Maybe apache load http on himself and send to client with bypassing the Nginx proxy. WIred thing here.

    And yes, embedded is not currently a good word.

    I search more a way to change all things loaded and links to https://

Sign In or Register to comment.