Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
marklcfc Posted December 27, 2016 Posted December 27, 2016 What is the process for transferring from http to https? My hosts said they can set it up on their side but then said: Quote you will need to update your website code to use https instead of http for each and every local & remote resource which depending on how well your website is coded Also is it necessary? I've been thinking about it for some time and had an email this morning from google which mentioned: Quote Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.
marklcfc Posted December 27, 2016 Author Posted December 27, 2016 What's the difference between https for logins only and 100% https? Which is recommended here?
Jacques Corby-Tuech Posted December 28, 2016 Posted December 28, 2016 19 hours ago, marklcfc said: What's the difference between https for logins only and 100% https? Which is recommended here? There's really no reason NOT to be serving the entire website over https these days.
PPlanet Posted December 28, 2016 Posted December 28, 2016 13 minutes ago, Jacques Corby-Tuech said: There's really no reason NOT to be serving the entire website over https these days. Well, I tried the other day and the site gradually turned so slow that it almost came to a halt; I reverted it back to http:// (So, I guess that's a reason, and yes I should probably get it seen as to where the problem lies, and eventually I will). And sorry, while on this topic, is there a way (even via .htaccess) to implement https:// for logins and admin only for IPB 3.4? I would love to try that in the meantime.
Joy Rex Posted December 28, 2016 Posted December 28, 2016 51 minutes ago, PPlanet said: Well, I tried the other day and the site gradually turned so slow that it almost came to a halt; I reverted it back to http:// (So, I guess that's a reason, and yes I should probably get it seen as to where the problem lies, and eventually I will). And sorry, while on this topic, is there a way (even via .htaccess) to implement https:// for logins and admin only for IPB 3.4? I would love to try that in the meantime. https:// shouldn't be slowing down your page loading - I would turn it on again, and use Chrome's Developer Tools to determine where the bottleneck is occurring.
opentype Posted December 28, 2016 Posted December 28, 2016 2 hours ago, Jacques Corby-Tuech said: There's really no reason NOT to be serving the entire website over https these days. I serve 2 IPS sites over SSL and 2 other not. What’s holding me back on these 2 sites: no stock option to convert the embedded non-SSL content in tens of thousands of posts to SSL the costs of SSL if the the provider doesn’t allow free/external certificates
PPlanet Posted December 29, 2016 Posted December 29, 2016 9 hours ago, Joy Rex said: https:// shouldn't be slowing down your page loading - I would turn it on again, and use Chrome's Developer Tools to determine where the bottleneck is occurring. Yes, I'm not really sure what was it. I'm not very good at troubleshooting this sort of thing either. For a few hours it went well (even when I think each page load took a tiny bit more in loading probably while the secure connection was negotiated), then when I thought all was fine, I forced the https via .htaccess and submitted it as a new site, new sitemap to Google Webmasters Tools, so unfortunately two things may have happened at once as my site approached peak activity hour. For all I know it could have been Google bots re-indexing the pages. I use one of those shared Cloudflare certificates, not sure if that matters. I even bought 3 certificates (1 for domain and 2 for subdomains) got my host to install them, just to realise later that Cloudflare only allows you to use your own if you upgrade to their business plan ($200 per month, so that's not an option). I could also buy a certificate from them if I knew it was any better than the shared one they let you use for free. (Does anyone know if it's worth it? It's not that expensive, it costs something like 60 bucks or so a year, and it would cover domain and subdomains) In any case, as I asked above, does anyone know how to achieve SSL for logins and admin only using .htaccess? (As I'm still using IPB 3.4) Also using chat for 3.4 will force me to get a way around to connect if I was to have the whole site using SSL (but sadly that problem will be over by May ;))
PPlanet Posted December 29, 2016 Posted December 29, 2016 32 minutes ago, sweethoney said: do you want your hole website on sll Are you asking me or the OP? If it's me, then no; at this stage I'd like to try logins and admin only (but since I'm using IPB 3.4 I can't do it so easily from the ACP). If you are asking the OP, my apologies for crashing his thread (but we both have the same needs anyway).
Tarun Posted December 29, 2016 Posted December 29, 2016 Having your entire site using https helps to protect visitors from MITM, XSS and other issues. You can add several layers of additional protection, and also get onto the HSTS preload list as well. https has a very minimal slowdown on page loads. It's worth it, really.
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 My host said Quote A basic (free) temporary SSL is already in place and as such, you can already manually navigate to your forum via https:// which currently gives a warning due to there being non secure (non https) resources being called - you'll need to go through these and correct before forcing https as many browsers will refuse to load non secure resources on a secure website. Does that mean I can turn on ssl for logins only? Or is there other things I need to do?
opentype Posted December 29, 2016 Posted December 29, 2016 22 minutes ago, marklcfc said: Does that mean I can turn on ssl for logins only? Yes. Not sure what they mean with “temporary” though. Quote Or is there other things I need to do? You need to check what they said: Once you turn on SSL, you need to be sure that on the affected pages no non-secure content is delivered, e.g. logos, banners and things like that.
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 I've made the above changes but I'm seeing a few problems. The board index is secure. Then I enter a forum and that is secure, but then I enter a different forum and that isn't.. also all the topics are not secure.
Simon Woods Posted December 29, 2016 Posted December 29, 2016 2 minutes ago, marklcfc said: I've made the above changes but I'm seeing a few problems. The board index is secure. Then I enter a forum and that is secure, but then I enter a different forum and that isn't.. also all the topics are not secure. Yep, sounds right, as your host said: Quote you can already manually navigate to your forum via https:// which currently gives a warning due to there being non secure (non https) resources being called To fix this you need to do what they said next: Quote you'll need to go through these and correct before forcing https as many browsers will refuse to load non secure resources on a secure website. I'm not sure if there is an easier way to do this or if it is only possible by going through each individual resource. This is actually the main reason why I am making this switch at a later point in this year, when I have more time on my hands.
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 I'm not sure what resources they are referring to? I looked at the source and all the http:// links were standard forum links, surely they should have changed to https?
Nathan Explosion Posted December 29, 2016 Posted December 29, 2016 Clear forum cache via the support tool - must be done after you change the URL in conf_global.php
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 Yes I did that. On board index for example there are 9 instances of http:// those are Quote itemscope itemtype="http://schema.org/WebSite"> itemtype="http://schema.org/SearchAction" <a href="http://mysite.co.uk" data-navItem-id="1" data-navDefault> <ul itemscope itemtype="http://schema.org/BreadcrumbList"> <li itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> <a title="Home" href='https://www.foxestalk.co.uk/forums/' itemscope itemtype="http://schema.org/Thing" itemprop="item"> <img src="http://abs.twimg.com/sticky/default_profile_images/default_profile_6_normal.png" alt="Innovindil" itemprop="image">
ehren. Posted December 29, 2016 Posted December 29, 2016 5 minutes ago, marklcfc said: Yes I did that. On board index for example there are 9 instances of http:// those are http in links and source code isn the issue. The issue is the http resource (the image being loaded from Twitter). That's the only thing you need to fix.
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 5 minutes ago, ehren. said: http in links and source code isn the issue. The issue is the http resource (the image being loaded from Twitter). That's the only thing you need to fix. Ok, in that case I assume this is the problem when viewing a forum Quote <img src="http://pbs.twimg.com/profile_images/808704406338371584/ZOLm4Azq_normal.jpg" alt="alex26kingpower" itemprop="image"> How do I prevent this being a problem? As I assume quite a few have twitter photos
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 Also when I log out and log back in my username and password is no longer filled out, I have to type it all out again. Is this normal? As it doesn't happen on here. And adverts don't seem to load (more so on a mobile)
Joy Rex Posted December 29, 2016 Posted December 29, 2016 13 hours ago, PPlanet said: Yes, I'm not really sure what was it. I'm not very good at troubleshooting this sort of thing either. For a few hours it went well (even when I think each page load took a tiny bit more in loading probably while the secure connection was negotiated), then when I thought all was fine, I forced the https via .htaccess and submitted it as a new site, new sitemap to Google Webmasters Tools, so unfortunately two things may have happened at once as my site approached peak activity hour. For all I know it could have been Google bots re-indexing the pages. I use one of those shared Cloudflare certificates, not sure if that matters. I even bought 3 certificates (1 for domain and 2 for subdomains) got my host to install them, just to realise later that Cloudflare only allows you to use your own if you upgrade to their business plan ($200 per month, so that's not an option). I could also buy a certificate from them if I knew it was any better than the shared one they let you use for free. (Does anyone know if it's worth it? It's not that expensive, it costs something like 60 bucks or so a year, and it would cover domain and subdomains) In any case, as I asked above, does anyone know how to achieve SSL for logins and admin only using .htaccess? (As I'm still using IPB 3.4) Also using chat for 3.4 will force me to get a way around to connect if I was to have the whole site using SSL (but sadly that problem will be over by May ;)) I'd advise going 100% SSL; Chrome 56 and other browsers will require it in future; otherwise users will get security warnings. 11 hours ago, Tarun said: Having your entire site using https helps to protect visitors from MITM, XSS and other issues. You can add several layers of additional protection, and also get onto the HSTS preload list as well. https has a very minimal slowdown on page loads. It's worth it, really. Agreed. 2 hours ago, marklcfc said: I've made the above changes but I'm seeing a few problems. The board index is secure. Then I enter a forum and that is secure, but then I enter a different forum and that isn't.. also all the topics are not secure. If you allow your users to post images that are hosted on other sites that don't use HTTPS, this is what is causing the mixed content warnings.
marklcfc Posted December 29, 2016 Author Posted December 29, 2016 Ok, any idea about the log in issue where username/password isn't filled out after the change
opentype Posted December 29, 2016 Posted December 29, 2016 16 minutes ago, marklcfc said: Ok, any idea about the log in issue where username/password isn't filled out after the change Because http://something.com and https://something.com are completely different addresses. Your browser isn’t supposed to share login data across different addresses. That would be a huge security risk.
sweethoney Posted December 29, 2016 Posted December 29, 2016 It’s the magic of risking everything for a dream that nobody sees but you.”
Recommended Posts
Archived
This topic is now archived and is closed to further replies.