https / ssl

NoNeedForAChestWig

NoNeedForAChestWig

Well-Known Member
Joined
Oct 3, 2010
Messages
3,030
Is there any chance of getting some secure connection possibilities? Even if it was only for protection during login, it would be a step in the right direction, in my opinion (even though I'd prefer HSTS).
 
Certs are expensive or annoying if not bought from a CA.
 
We'd use a self-signed cert. Requires manual approval for anyone who uses it, but it's better than nothing.

As for logging in, your password is not sent in the clear in vBulletin. Javascript is used to one-way MD5 hash it before it's sent.
 
NoNeedForAChestWig said:
Is there any chance of getting some secure connection possibilities? Even if it was only for protection during login, it would be a step in the right direction, in my opinion (even though I'd prefer HSTS).
Click to expand...

why?
 
Viper007Bond said:
We'd use a self-signed cert. Requires manual approval for anyone who uses it, but it's better than nothing.
Click to expand...

Yup, I'd be happy with that. Heck, you don't have to make it the standard option if you don't want to annoy people, just allow those who do want to use it to do so :)
 
Sometimes I masturbate with the curtains open, but sometimes I prefer that the neighbours aren't watching

Okay, forget that :ph34r:
 
I'll set it up, real cert and all, although I probably won't bother with "static.finalgear.com", so you'll get the old "some items on this page are being loaded over an insecure connection" warning from some browsers.
 
That's awesome, thanks PC!
 
OK, https://forums.finalgear.com is live. Let me know if you have any trouble. As stated above, static.finalgear.com is NOT transmitted encrypted, so your browser may bitch at you about how not all elements on the page are secure. Since buttons and CSS aren't exactly private information, I wouldn't really worry about it.

Edit: And apparently, all links are hardcoded to the insecure site, so on every click you're bumped back to http. It appears that this is because of a bug in vBulletin, and I don't think I'll be able to work around it. Sorry guys.
 
Last edited:
If using FireFox, you can use the HTTPS Everywhere plugin from EFF.org.

Once installed, browse to your user profile directory (Click Help->Troubleshooting Information, then select "Profile Directory [Open Containing Folder]". In the "HttpsEverywhereUserRules" folder, create a file called FinalGear.xml.
Paste the contents in the file:
Code: 
<ruleset name="FinalGearForums">
  <target host="forums.finalgear.com" />
   <rule from="^http://forums.finalgear\.com/" to="https://forums.finalgear.com/"/>
</ruleset>
Restart Firefox, and it should automatically redirect everything on the forums to SSL. YMMV.

Edit: You can use Quick reply just fine, but you cannot Quick edit posts. It throws a permissions error.
Edit 2: Before submitting changes, it asks you to log in again. Rather annoying.
 
Last edited:
Tonight i've been getting 'security certificate errors' doesn't help i'm using IE8 i suppose.
 
I have abused certain advanced features of nginx to allow me to work around the vbulletin bug that prevents having both http and https versions of the site. It should work perfectly now.
 
now the link on the front page only has to link to it...

if you click it now you still end up on the http :)
 
bone said:
now the link on the front page only has to link to it...

if you click it now you still end up on the http :)
Click to expand...

That's because we're not promoting it, since SSL can be slower for some people, especially those people on the other side of the world. If you want to use the https version, save a bookmark or something.
 
^makes sense

maybe you can add a checkbox on the contol panel, so everyone can choose how they connect? (just a suggestion)
 
bone said:
maybe you can add a checkbox on the contol panel, so everyone can choose how they connect? (just a suggestion)
Click to expand...

Unfortunately, that's not really an option, because vBulletin only works from a single URL, and uses absolute links for everything (which means you get redirected back to http on every link). The only way I was able to make it work was to use nginx (a very fast and stable web server/proxy) in front of the load-balancer to proxy the SSL connections back to the plain http backend servers, while using one of its advanced features to rewrite all forums.finalgear.com links to by https. As far as vBulletin (or the server it is running on are concerned), you're not using https, it's just nginx being clever that makes it all work.

Some day I should probably write a post about how we have all our infrastructure set up. It might be an interesting read for the 3 or so of you who are as nerdy as I am :p
 
You must log in or register to reply here.
Top