I would like to know how you can SSL the lussumo BBS.
I have been having problem with this... login page is SSLed but after loggin in, its goes back to non SSL.
elvin
Hmmm. That's interesting. Most of the paths are written relatively, but I bet the problem is that the Configuration parameter for DOMAIN is set to an http instead of an https. Check out the settings in the "Application Settings" form on the "Settings" tab.
I think that what mark means is that the forum defaults to building a http://... request instead of one that starts with https:// which is at the moment hard-coded into vanilla. Don't quote me on that but I think that's the way it's set up. Mark?
In 0.9.2.6 it is, yeah. And that's a big pain to change, sadly.
If you have the cahones, you can use 0.9.3 which (I'm 99% sure) allows you to specify the BASEURL configuration variable complete with http or https. If it doesn't, I'd consider that a bug and change it for final release.
I was only interested in SSL'ing my signin.php page, so put the following snippet at the very top of the signin.php in my Vanilla (0.9.2.6) root.
if ($_SERVER['HTTPS']!= 'on') {
// Redirect user to secure page
header("Location: https://myserver.com/vanilla/signin.php");
exit;
}
I've just set up a vanilla forum with ssl. almost worked perfectly first time, but it was a small fix.
When I logged into sitename.org/vanilla, there was a redirecturl in the URL string which had an http instead of an https, and it didn't pay any attention to the $Configuration['BASE_URL'] or the $Configuration['FORWARD_VALIDATED_USER_URL'] in the conf/config.php file. this meant that when a user logged in they were redirected to the non-ssl page, producing an error, instead of the forum.
there is a function in 'library/framework/framework.functions.php' called 'GetRequestUri'
This automatically prepends the URL with http://, i changed that to https:// and it all works beautifully.
can I just add that the simplicity of the checkbox to secure the whole forum from unregistered users is a thing of beauty. I hadn't been able to work out how to do that in phpbb at all.
If I've misunderstood or stated the obvious, forgive me.
Brian
I'm also running Vanilla on an SSL only server. In addition to Bridawg's fix above. I also had to add the 's' here in order to get certain extensions to work:
library/Framework/Framework.Functions.php: if (strpos($PathToConcatenate, 'https://') !== false) return $PathToConcatenate;
There also appears to be another URL function somewhere that needs to be updated. I'm using the
Account Pictures extension to allow users to upload account images, which works fine. However, when someone updates their profile. Vanilla prepends the image location with http://, which results in a url like http://https://sub.domain.com/etc/imagefolder/image.blah
Sorry for the double post. I should have looked a little harder. While not elegant, I simply changed these lines preventing the http:// string from being forced into the url. This may cause issues. If someone who knows php better than I (99.9% of php coders) knows how to write this function to allow urls beginning with http:// or https://, I'd like to see it.
library/People/People.Class.User.php: $this->Icon = PrependString('', ForceIncomingString('Icon',''));
library/People/People.Class.User.php: $this->Picture = PrependString('', ForceIncomingString('Picture',''));
Is it possible to use https-URIs when the user already comes from a secure site and use plain http-URIs when not? I would like to offer my forum both secure and as plain HTTP and not force the user to any of the two. So when the user accesses a page via HTTPS, all links on that page should redirect to https, but when the forum is reached via plain HTTP, all page links should lead to http again. This could be done with relative addresses, but are they officially supported? (The Settings Panel says: "The web-path to Vanilla should be a complete path to Vanilla just as you would type it into a web browser.")
And another question: Is there an "official" way to force a user to login securely? Post #8 above provides this by hacking signin.php, but how can it be done in recent versions of Vanilla? (people.php?)
I'm not sure how vanilla will handle these changes if someone then modifies some configuration settings via the admin panel though so your mileage may vary.
Actually, this may be enough: $Configuration['BASE_URL'] = '//***************/';
$Configuration['HTTP_METHOD'] = '';
$Configuration['FORWARD_VALIDATED_USER_URL'] = '//*************/'; Not sure though on how Garden reacts on the empty string. But it's valid to omit the protocol in a href, it takes the one of the referrer.
Edit
Did some testing, Garden doesn't like it and prepends http:// to the base url.
Comments
I've added a new configuration setting called HTTP_METHOD to the subversion repository that will allow you to change to https.
Use php to see what the request method is and make the HTTP_METHOD configuration setting the same as that.
if($_SERVER['HTTPS']) {
I'm not sure how vanilla will handle these changes if someone then modifies some configuration settings via the admin panel though so your mileage may vary.$Configuration['BASE_URL'] = 'https://***********/';
$Configuration['HTTP_METHOD'] = 'https';
$Configuration['FORWARD_VALIDATED_USER_URL'] = 'https://***********/';
} else {
$Configuration['BASE_URL'] = 'http://***************/';
$Configuration['HTTP_METHOD'] = 'http';
$Configuration['FORWARD_VALIDATED_USER_URL'] = 'http://*************/';
}
$Configuration['BASE_URL'] = '//***************/'; $Configuration['HTTP_METHOD'] = ''; $Configuration['FORWARD_VALIDATED_USER_URL'] = '//*************/';Not sure though on how Garden reacts on the empty string. But it's valid to omit the protocol in a href, it takes the one of the referrer.
Edit
Did some testing, Garden doesn't like it and prepends http:// to the base url.