Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2018-10-23 07:33:00

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 550
Website

Support https

Hi,

I had seen a discussion about https support by FluxBB, but can't find it (Nobody is perfect!)

I will soon switch my site to https, so the FluxBB forum and as it is already https here, it is the best place to ask what to change in the management of the forum.
Thank you.


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#2 2018-10-23 19:51:56

DarkZero
Member
From: France
Registered: 2015-03-11
Posts: 9

Re: Support https

Hello,

For FluxBB, you have to edit your "Base URL" in the Administration > Options.

Your forum will unfortunately not be completely in HTTPS. If there are images or contents loaded in HTTP, it will be indicated in the browser. You should prevent mixed content warnings on secure pages by using a proxy image. Like Camo. However, this requires more skill (server and integration). I already used Camo for FluxBB. If you're interested, I can share what I did, but it's more about the server part.
Some forums rewrite URLs. It's less good, but it works.
It's a step that can come later of course. Or never... as you want.

Do not forget to load CSS / JS / Font / Others content in HTTPS. All resources — whether on the same origin or not — should be loaded over secure channels.

Also configure your cookies in encrypted form. All cookies must be set with the Secure flag, and set as restrictively as possible

-----
If I can also advise you on the server part.

Configure your server with a modern TLS configuration.
This tool can hep you : https://mozilla.github.io/server-side-t … generator/

Use HTTP Strict Transport Security (HSTS) is your HTTP header to notify user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP. Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS. HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.

Also correctly configure your HTTP redirects. So many badly configured sites.

For example, this redirection order is correct:
http://example.comhttps://example.comhttps://www.example.com.

An incorrect redirection looks like this:
http://example.comhttps://www.example.com.

If you need help, do not hesitate.

Offline

#3 2018-10-24 07:14:22

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 550
Website

Re: Support https

Hi,

Merci. Thank you.
Considering the host, I am advised to put at the root of the site an .htaccess file containing

RewriteEngine on
RewriteCond %{REQUEST_SCHEME} =http
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

What do you think of that?


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#4 2018-10-24 17:22:10

DarkZero
Member
From: France
Registered: 2015-03-11
Posts: 9

Re: Support https

Hi,

You should do that with a VirtualHost. So two vhost.

For example:

HTTP:

<IfModule mod_ssl.c>
<VirtualHost *:80>

# Logs
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect permanent / https://example.com/
</VirtualHost>

</IfModule>

HTTPS:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
DocumentRoot /path/to/your_website

# Logs
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# HTTPS
SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
SSLCertificateKeyFile   /path/to/private/key
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

</VirtualHost>
</IfModule>

It's without subdomain.
It's basic too. It should activate more headers.

Offline

#5 2018-10-24 19:30:16

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,559
Website

Re: Support https

That seems correct. smile


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

Board footer

Powered by FluxBB