Author Topic: SERVER SSL Upgrade  (Read 30261 times)

0 Members and 1 Guest are viewing this topic.

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #25 on: March 31, 2017, 09:34:47 am »
https://www.eevblog.com/forum/ doesn't redirect to a SSL connection, as e.g. http://www.google.com does.

Correct, please hold off on testing/reports until I state things are ready.
 

Offline hammy

  • Supporter
  • ****
  • Posts: 465
  • Country: 00
Re: SERVER SSL Upgrade
« Reply #26 on: March 31, 2017, 09:40:37 am »
@gnif & Dave: Thank you!  :-+
 
The following users thanked this post: SeanB

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #27 on: March 31, 2017, 10:07:30 am »
For those wondering what the issue is, SMF is correctly generating the URLs for things with http or https as required, but there is some post filtering going on somewhere that is rewriting the https links to http, I am tracing the cause now.

Edit: It appears the cause is 'Pretty URLs'
Edit 2: Confirmed, Pretty URLs is caching the URL rewrites, but is not caching the scheme, so its randomizing the URL schemes based on who loaded it first, either via HTTP or HTTPS
« Last Edit: March 31, 2017, 10:21:23 am by gnif »
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: SERVER SSL Upgrade
« Reply #28 on: March 31, 2017, 10:52:54 am »
Edit 2: Confirmed, Pretty URLs is caching the URL rewrites, but is not caching the scheme, so its randomizing the URL schemes based on who loaded it first, either via HTTP or HTTPS

Is that fixable?
Pretty URL's is an important plugin.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #29 on: March 31, 2017, 10:53:58 am »
Yes, I am digging through it now, I have already patched several locations that were a problem, should get to the bottom of it soon.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #30 on: March 31, 2017, 11:02:57 am »
I had to:

1) apply a patch to make it cache the replaced URLs based on the presence of SSL
2) Discover it doesn't use the forums base url, but its own separate setting which it stupidly doesn't expose in the admin area.

Code: [Select]
update smf_settings set value = '//www.eevblog.com/forum' where variable = 'pretty_root_url';
Still yet to go through and check everything over before I give the 'Its working, look for bugs' update :)
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #31 on: March 31, 2017, 11:11:51 am »
Ok, seems good across the board to me, both SSL and non SSL.

Sorry If I come across a bit rash with my replies to reports, I just stress out a bit when things don't go as planned, I certainly do appreciate the testing and feedback provided by the community.

Edit: Also, if Dave ever decides to turn off CloudFlare the website will continue to just work, we have valid end to end encryption now.
Edit2: We are not serving the upgrade-insecure header to keep embedded off site images working, but we are complying with client's asking to upgrade from insecure, this will keep us completely backwards compatible.
Edit3: Seems the simley faces are always being served from http regardless, I will look into this tomorrow, I have had enough for tonight :)
« Last Edit: March 31, 2017, 11:30:18 am by gnif »
 
The following users thanked this post: SeanB, MatthewEveritt

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 5121
  • Country: nl
Re: SERVER SSL Upgrade
« Reply #32 on: March 31, 2017, 11:32:31 am »
I spotted what I think is a side effect of the changes: When reading the unread or unreadreplies link when you click on a post and then use the back button it reloads the list and the post you just read is gone. This is a bit confusing because it makes tracking where you are more difficult.

(I don't read all posts on the unread page, just the ones that interest me, and then simply use the back button on the mouse to go back to the list. When everything was still http: it showed me the same list everytime.)

Keyboard error: Press F1 to continue.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #33 on: March 31, 2017, 11:35:28 am »
I spotted what I think is a side effect of the changes: When reading the unread or unreadreplies link when you click on a post and then use the back button it reloads the list and the post you just read is gone. This is a bit confusing because it makes tracking where you are more difficult.

(I don't read all posts on the unread page, just the ones that interest me, and then simply use the back button on the mouse to go back to the list. When everything was still http: it showed me the same list everytime.)

My bet is you loaded that page via HTTP and when you hit back, it is going back to the HTTP page, which is then being upgraded to HTTPS. Did you perhaps go to the unread page via a bookmark? Btw I can not replicate the behavior you mention.
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 5121
  • Country: nl
Re: SERVER SSL Upgrade
« Reply #34 on: March 31, 2017, 12:04:51 pm »
Nope, HTTPS all the way. It's only IE, Chrome and Firefox are fine.
(Yes I have to use IE for some undisclosed reason, but I can use chrome for the forum)
Keyboard error: Press F1 to continue.
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: SERVER SSL Upgrade
« Reply #35 on: March 31, 2017, 01:55:05 pm »
 Maybe I'm not interpreting what you posted correctly, but it sounds like what you are doing is similar to how I read the forum. Click on a sections, read the messages that interest you, then back out and go on to the next section. However, I never use back to get all the way out, I click in the nav tree just above the messages, because as long as I've been here, no matter what browser I use, if I just use the back button, it still shows flags the section as having new posts. If I actually use the tree to select the top level, or even the high level category, then the section I just was in will show as having no new messages (unless someone actually snuck in and posted). That happens for me with Chrome, IE, Edge, or Safari. Sometimes I forget and use the back button (easy when there's a back button right on the mouse) but in that case I can either revisit the section and go back via the tree or refresh the page. This does not appear to have changed with HTTPS.

 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 5121
  • Country: nl
Re: SERVER SSL Upgrade
« Reply #36 on: March 31, 2017, 02:12:21 pm »
I use the 'show unread posts since last visit' on the top of the page, that way I don't have to navigate the sections. If I click a post in that list and then go back with the (mouse) back button the post I just clicked is gone from the list, as if the list was generated again. This only in IE as I mentioned.
Keyboard error: Press F1 to continue.
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: SERVER SSL Upgrade
« Reply #37 on: March 31, 2017, 02:37:57 pm »
 That sort of sounds like it works as intended, but ONLY in IE - after all, if you've read the post, it no longer is unread and shouldn't appear on the list.  :-DD

 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 7990
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #38 on: March 31, 2017, 08:07:40 pm »
Paging Dr. gnif, notification links are missing their protocol: https://www.eevblog.com/forum/blog/notification-precated/
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #39 on: March 31, 2017, 08:45:09 pm »
Paging Dr. gnif, notification links are missing their protocol: https://www.eevblog.com/forum/blog/notification-precated/

This is a known issue, I do not have time at current to look for a solution, it is a minor breakage and not a high priority at the moment.
 

Offline texaspyro

  • Super Contributor
  • ***
  • Posts: 1407
Re: SERVER SSL Upgrade
« Reply #40 on: March 31, 2017, 11:27:01 pm »
Paging Dr. gnif, notification links are missing their protocol: https://www.eevblog.com/forum/blog/notification-precated/

This is a known issue, I do not have time at current to look for a solution, it is a minor breakage and not a high priority at the moment.

A lot of email systems don't recognize the link as a link without the http: and you have to cut it from the email, paste it into the browser address bar,  then edit it to include the http:  A royal pain if you have a lot of notifications to check out.

Good luck on the https upgrade...  I've been down that rabbit hole before and it's no fun to get all the issues sorted out.
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 9057
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: SERVER SSL Upgrade
« Reply #41 on: April 01, 2017, 02:52:57 am »
Thanks for the SSL/TLS upgrade. If legislation in the US passes to allow ISPs to profit from our browsing activity, inject ads (or who knows what else) onto other sites' pages, etc., having end-to-end encryption will help.
TEA is the way. | TEA Time channel
 

Offline magetoo

  • Frequent Contributor
  • **
  • Posts: 284
  • Country: se
Re: SERVER SSL Upgrade
« Reply #42 on: April 01, 2017, 06:14:12 pm »
Is the long-term plan to turn off HTTP and go HTTPS-only?  Asking because I'm noticing that everything except the initial page load (stylesheets, images) gets turned into HTTPS even when accessing the forum via HTTP.  Except for the emoticons.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #43 on: April 01, 2017, 06:15:03 pm »
Is the long-term plan to turn off HTTP and go HTTPS-only?  Asking because I'm noticing that everything except the initial page load (stylesheets, images) gets turned into HTTPS even when accessing the forum via HTTP.  Except for the emoticons.

No, there is some inconsistency at the moment, but the plan is to fully support both.
 

Offline magetoo

  • Frequent Contributor
  • **
  • Posts: 284
  • Country: se
Re: SERVER SSL Upgrade
« Reply #44 on: April 01, 2017, 06:27:57 pm »
No, there is some inconsistency at the moment, but the plan is to fully support both.

Good to know.  Some things seemed wonky (using HTTP going through a Squid proxy) but I'll hold off on complaining.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #45 on: April 03, 2017, 11:34:55 am »
In what time I could find the last few days I threw together a mod for SMF that allows inserting post filter hooks, the website will now generate the correct URLs depending on if you visit using http or https.

The filter is a search and replace based on the forum URL, for example, if I post this:

https://www.eevblog.com/forum

It will be automatically changed to http or https depending on how you load this page, this should keep everyone happy. This filter only applies to URLs starting with "www.eevblog.com/forum", everything else is ignored. If this causes any problems please post them here.
 
The following users thanked this post: Ian.M, bitseeker

Online Ian.M

  • Super Contributor
  • ***
  • Posts: 12806
Re: SERVER SSL Upgrade
« Reply #46 on: April 03, 2017, 11:49:30 am »
Many thanks.  I've just commented out the link rewriter in my Greasemokey script and I'll see how it goes.

Would it be possible to post a list of SSL/TLS protocols and encryption methods the server now accepts, so those of us with legacy browsers can check compatibility against possible browser upgrades *BEFORE* installing them?
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #47 on: April 03, 2017, 01:03:42 pm »
In what time I could find the last few days I threw together a mod for SMF that allows inserting post filter hooks, the website will now generate the correct URLs depending on if you visit using http or https.

The filter is a search and replace based on the forum URL, for example, if I post this:

https://www.eevblog.com/forum

It will be automatically changed to http or https depending on how you load this page, this should keep everyone happy. This filter only applies to URLs starting with "www.eevblog.com/forum", everything else is ignored. If this causes any problems please post them here.

If you implement local customisations to modify the standard SMF software then at each upgrade you'll always have to test and or retrofit them. It is generally better to suck up the pain one time and move on with simpler future upgrades. Better to dump some of the legacy stuff and simplify.  Admittedly I don't really follow the http/https issues all that well.

Gnif: Even though I quoted you this isn't a criticism. Just a general observation. The quote was to carry the context.

They are not local customisations, I have written a proper package that integrates/installs/uninstalls and is tracked up the updater, there should be no issues.

That said, since it seems to be working I am going to disable the redirect if the browser states to upgrade requests, that way people can decide if they do or don't want SSL.
« Last Edit: April 03, 2017, 01:06:48 pm by gnif »
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #48 on: April 03, 2017, 07:38:43 pm »
No complaints so far, everything seems good.

I made a small change so that the login URL is always https (including the one on the top banner), but it will still work with http if you really must use http, just drop off the 's' in the url.

Edit: Just picked up a small issue, when posting it posts to HTTPS, but redirects you back to HTTP, I will investigate this later if I can.
« Last Edit: April 03, 2017, 07:42:23 pm by gnif »
 

Offline RayRay

  • Frequent Contributor
  • **
  • Posts: 297
Re: SERVER SSL Upgrade
« Reply #49 on: April 03, 2017, 07:42:09 pm »
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf