Full SSL support

[Makoto]

It's been suggested before to enable full SSL support for the AdminCP, but I'd like to take things a step further with my own suggestion.

I would like to have the option to enable SSL everywhere on IP.Board.

Not just on login pages, not just the ACP, but give users the option to use SSL globally, similar to the manner sites like Facebook do.

Users would be able change this setting through their account settings, giving them the option to enable or disable global SSL this way, but still letting the admin force SSL on login pages.

SSL would first need to be enabled and set up by the boards administrator, of course.

[Makoto]

5 likes so far, but no comments.

Bumping for attention.

[Free Cat]

I think I'm about to pull the trigger on purchasing IPS, but I'm a bit surprised to see this is not available. Security is a key point of concern, not just for the operation of the site, but even for the subject matter of my planned site. I would very much like to see this implemented if I do purchase.

[Mark]

Just change all the URL settings (including that in conf_global.php) to use "https://"

[Makoto]

Just change all the URL settings (including that in conf_global.php) to use "https://"

I'm talking about giving users the option to use HTTPS instead of HTTP as well, not just trying to force it globally.

[Mark]

But why? Most users probably don't know what "https" even means - and of those that do, why would they select not to use it?

[Weppa333]

just FYI, even google images is serving all images thru HTTPS lately, so "not wanting https" is indeed weird.

[aSlightDrizzle]

I was looking for something like this as well.

[Bethanyrayne]

Just change all the URL settings (including that in conf_global.php) to use "https://"

How many URL's would need to be changed and where? Sorry for the stupid question.

[Charles]

Just conf_global.php URL and the URLs in General Settings in ACP.

[Bethanyrayne]

Thanks Charles

[Makoto]

Yeah. You make a good point.

There was actually one other thing I wanted to post about.

When forcing SSL that way, the site still loads images from style_images (such as your logo and emoticons) using HTTP, not HTTPS.

I'm looking for a simple way to fix that right now.

[Charles]

You also need to change the image URL in the ACP to https.

[Makoto]

You also need to change the image URL in the ACP to https.

Under the CDN settings? I did that, but it's still pulling from the regular HTTP address.

[Makoto]

Specifying a manual link to the logo (overriding {style_images_url}) works.

Emoticons are still pulling from HTTP, but other than that, everything works well.

A few users are complaining about an odd issue in Safari ever since switching, but I don't see how that's relevant.

I won't bother posting about it until I get more information.

[Bethanyrayne]

You will have trouble with any content pulled from outside such as adverts and posts with images from the likes of Photo Bucket but anything from inside your domain such as public/style_images/* should be fine. I'm beginning to wonder whether it is worth the effort honestly because a partial encryption warning to the visitor is worse than no encryption.

[Makoto]

You will have trouble with any content pulled from outside such as adverts and posts with images from the likes of Photo Bucket but anything from inside your domain such as public/style_images/* should be fine. I'm beginning to wonder whether it is worth the effort honestly because a partial encryption warning to the visitor is worse than no encryption.

I did take this into factor.

I think AdSense even uses HTTPS, but I don't even have any adverts on my site whatsoever.

However, I just think it's nice to have that "fully encrypted" image where possible, even if it's only on the board index.

Right now everything on the site (ACP included) is fully encrypted without issue. Only when opening threads with smileys or external image links does it show partial encryption.

So I'm happy enough with how it is now.

[PANL]

i don't think full SSL work. you need to know that if you want to use full SSL no images may be use from different website.
Example an image that's from a external website for your avatar or signature, that make your SSL directly insecure...

you can use t his in your conf_global.php so you can access the admin pannel with SSL

$INFO['board_url'] = $GLOBALS['boardurl'] = (!empty($_SERVER['HTTPS']) ? 'https://' : 'http://') . 'www.yourwebsite.com';

and this on your admin folder in a .htaccess file

RewriteEngine On

RewriteCond %{SERVER_PORT} 80

RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

[Makoto]

i don't think full SSL work. you need to know that if you want to use full SSL no images may be use from different website.

Example an image that's from a external website for your avatar or signature, that make your SSL directly insecure...

you can use t his in your conf_global.php so you can access the admin pannel with SSL

$INFO['board_url'] = $GLOBALS['boardurl'] = (!empty($_SERVER['HTTPS']) ? 'https://' : 'http://') . 'www.yourwebsite.com';

and this on your admin folder in a .htaccess file

RewriteEngine On

RewriteCond %{SERVER_PORT} 80

RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

Of course. We've established that external images will break the "full" SSL status of a web page, but that doesn't really matter entirely.

If you actually care about security, I think partial encryption can be better than nothing at all. That "warning" is generally just a dialogue window most people disable after they first see it.

It's not a big issue.

[RObiN-HoOD]

I also believe that full SSL support should be considered.

[Mark]

As we said - full SSL support is already available ;)

1. Change the URL in conf_global.php
2. Go to Admin CP --> Look & Feel --> Template Tools - click "Recache Skin Sets"
3. Change the "Upload URL" under Admin CP --> System --> System Settings --> General Configuration

[Will Munny]

I think you're kind of missing the point. I think many admins would like to activate https for logged in members. That's what I need, and how I landed on this thread... is it possible to use http for guests, and https for members?

[Rhett]

I think you're kind of missing the point. I think many admins would like to activate https for logged in members. That's what I need, and how I landed on this thread... is it possible to use http for guests, and https for members?

Currently you can't, the board can only use one or the other, there is an option for login's only to protect user info, if your concerned about security on another part of the site, run the whole site under ssl, the problem with running under ssl is you have to restrict your users from posting remote images, if you are ok with this then run the whole site as ssl and the problem is solved.

[Guest]

run the whole site as ssl and the problem is solved.

The problem is that css is not served as files they are all embedded which is a terrible thing

[Will Munny]

run the whole site as ssl and the problem is solved.

From an SEO perspective, it's a disaster, unless there is a way to 301 all the existing http pages to https.