Allow both HTTPS / SSL and HTTP connections?

[ossipetz]

Hallo

I'm running a 4.0.x board and try to support HTTPS / SSL in the future. I want to allow both types of connections for a while.

So I enabled SSL in Apache but I know noticed that the resources (images, css, js files etc) are still loaded via HTTP. I think this is caused by the board_url setting in conf_global.php

 

What is the best approach to allow both http and https connections while serving all files via the initial protocol the user visits?
In 3.4.x there where quite some URL options, it seems most of them are no longer required in 4.0.x or detected automatically.

Does changing http to https affect the SEO cache somehow?

 

Thanks!

[MADMAN32395]

if you are going to SSL why not just have users in HTTPS 100%?

[GriefCode]

2 minutes ago, MADMAN32395 said:

if you are going to SSL why not just have users in HTTPS 100%?

Because some users can might get in trouble with the certificate and won't be able to access the page then.

Referencing:
https://community.invisionpower.com/topic/419711-full-ips-4-site-delivery-by-cdn/?do=findComment&comment=2589753

 

[Ausy]

9 minutes ago, ossipetz said:

What is the best approach to allow both http and https connections while serving all files via the initial protocol the user visits?

Just serve https only. You need to re submit a sitemap to google and thats it. You won't take a SEO hit in any way. Old urls will just redirect to https.

 

[GriefCode]

2 minutes ago, Ausy said:

You need to make sure its set up on the server right and that should not happen.

Light me up, how i can add support for the clients that don't support server name indication, would lovely use that setup.

[Ausy]

1 minute ago, Michael Schneider said:

Light me up, how i can add support for the clients that don't support server name indication, would lovely use that setup.

I replied to the wrong topic, your quoted me just before I realised and removed it.

[ossipetz]

well thats of course the goal but that will not work for me.

There are a couple of subdomains I run in the Apache Config and all use the same IP. And I'm just not sure about how well the Server Name indication works.

Then there is an analytics software running on a different domain (non-https at the moment).

 

I also found posts about embedded videos no longer showing. So thats a thing I want to verify first too.

 

So I need to test all that because I'm almost sure the certificate setup is messed up on the first attempt. (with all the chains, and intermediates and so on...)

Both needs to work for some time - until I'm ready for a full switch.

 

[MADMAN32395]

I utilize a wildcard SSL cert for one domain; and works fine with apache. only error my clients see is a few non-secure images; but thats advert issue lol but doesnt prevent viewing. even works fine on a old browser such as the one built into half-life (garrys mod). check for yourself. http://www.gcinema.net

[GriefCode]

24 minutes ago, Ausy said:

I replied to the wrong topic, your quoted me just before I realised and removed it.

No Problem.

23 minutes ago, MADMAN32395 said:

I utilize a wildcard SSL cert for one domain; and works fine with apache. only error my clients see is a few non-secure images; but thats advert issue lol but doesnt prevent viewing. even works fine on a old browser such as the one built into half-life (garrys mod). check for yourself. http://www.gcinema.net

Thats what i do too. I also have garrysmod servers and got an embed loading HTML page from my server. Works without issues. But we have tested our certificate against multiply VM'l setups and XP wasnt working. After we disable HSTS (which forced https) XP users could access the page, but insecure. Garrysmod is updated constantly, so the General base is also able to use Server Name insicator.

@ossipetz generally video embing is working fine. There was also a plugin on the marketplace that created an image proxy. But ipb planned to add it build in, im not aware if it is already added.

About the Server Name indicator, XP users are currently guessed to 6%. 4% are companies or states. If you dont expect their traffic, you should be good to go with a forced certificate.

You may should try the whole setup first with some free certificate, as example adding your domain to cloudflare provide that.

Having another page access the https side is generally fine, as long as its not vice versa. Upgrade is always working. But not the downgrade. Loading files from http will be blocked. But to be sure that you made all correct, you may want to open the developer console. When you test, you have always the info if anything was not loaded or was not secure loaded.

[Tracy Perry]

If you require SNI support, then your XP users pretty much are going to be left out in the cold.  

You have a few choices

1. Obtain addtional IP's and bind to each domain
2. Use SNI and the XP users will need to upgrade their VERY OLD AND NO LONGER SUPPORTED operating system
3. Serve both SSL/non-SSL (can get tricky, especially with nginx - not sure with Apache as it's been 4-5 years since I used it)

Personally - I'd choose option #2.  The Windows XP user base is very minimal and there reaches a point that you have to discontinue supporting old software.

 

[MADMAN32395]

5 hours ago, Michael Schneider said:

No Problem.

Thats what i do too. I also have garrysmod servers and got an embed loading HTML page from my server. Works without issues. But we have tested our certificate against multiply VM'l setups and XP wasnt working. After we disable HSTS (which forced https) XP users could access the page, but insecure. Garrysmod is updated constantly, so the General base is also able to use Server Name insicator.

@ossipetz generally video embing is working fine. There was also a plugin on the marketplace that created an image proxy. But ipb planned to add it build in, im not aware if it is already added.

About the Server Name indicator, XP users are currently guessed to 6%. 4% are companies or states. If you dont expect their traffic, you should be good to go with a forced certificate.

You may should try the whole setup first with some free certificate, as example adding your domain to cloudflare provide that.

Having another page access the https side is generally fine, as long as its not vice versa. Upgrade is always working. But not the downgrade. Loading files from http will be blocked. But to be sure that you made all correct, you may want to open the developer console. When you test, you have always the info if anything was not loaded or was not secure loaded.

but do keep in mind that gmod itself is updated constantly, Awesomium (the HTML base, it is not) ; I have to fight against it because that is what my server uses, as we are the original cinema lol; it's pretty out of date, best compared to is IE8, I can't remember the chromium equivalent. 

[GriefCode]

3 hours ago, MADMAN32395 said:

but do keep in mind that gmod itself is updated constantly, Awesomium (the HTML base, it is not) ; I have to fight against it because that is what my server uses, as we are the original cinema lol; it's pretty out of date, best compared to is IE8, I can't remember the chromium equivalent. 

Well i didnt look that much into it. But if you say IE8, that already supports SNI. I think IE6+ was the support Integration.

[Elduardo]

Offtopic: Garry is a douche, he spent a month working on avatar penises for Rust that literally randomize in length according to character race etc and his response to issues are "You only paid $20 for it - who cares?