JohnCourt Posted April 3, 2018 Posted April 3, 2018 Dear folks, our Facebook login no longer functions, I have created a new login app at Facebook Dev panel, and upon logging into our community via Facebook, we are confronted with an error message: Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https:// I have never had an SSL cert for our community, do I really need one to use the Facebook login? And if I do need one, are there any unintended behaviors I may experience in our community with a new SSL? Thanks!
RevengeFNF Posted April 3, 2018 Posted April 3, 2018 You can use SSL without any issue. In fact you can check that this community is under SSL. You can get free certificates with Let's Encrypt.
opentype Posted April 3, 2018 Posted April 3, 2018 The whole web is moving to SSL. You will have to switch eventually. The sooner the better. IPS 4.2 makes the transition as easy as possible, e.g. by rewriting existing images and delivering them locally over SSL.
JohnCourt Posted April 4, 2018 Author Posted April 4, 2018 Thanks to both for your feedback, greatly appreciate it! With the SSL my domain will change from http to https correct? If so, all my links I have spread throughout the www will be broken?
Aiwa Posted April 4, 2018 Posted April 4, 2018 10 minutes ago, JohnCourt said: If so, all my links I have spread throughout the www will be broken? Not if your virtual host is set up to redirect http requests to https. ?
JohnCourt Posted April 4, 2018 Author Posted April 4, 2018 14 minutes ago, Aiwa said: Not if your virtual host is set up to redirect http requests to https. ? Thanks!
RevengeFNF Posted April 4, 2018 Posted April 4, 2018 5 hours ago, Aiwa said: Not if your virtual host is set up to redirect http requests to https. ? Or he can enable HSTS to tell the client browser to always use https. The best solution is to use both, the redirect and hsts.
The Old Man Posted April 4, 2018 Posted April 4, 2018 If it helps, from my .htacess file: #Force HSTS: <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </IfModule> Good advice: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet Force https version of site with a 301 Permanent Redirection advisory to search engines, just rename the 2 lines to your own: #Force https: RewriteEngine On RewriteCond %{HTTP_HOST} ^millennium-thisiswhoweare\.net [NC] RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule ^(.*)$ https://millennium-thisiswhoweare.net/$1 [R=301,L] Optional - enforce non-www version of the site again with a 301 Permanent Redirect: #Force non-www: RewriteEngine on RewriteCond %{HTTP_HOST} ^www\.millennium-thisiswhoweare\.net [NC] RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule ^(.*)$ https://millennium-thisiswhoweare.net/$1 [L,R=301]
JohnCourt Posted April 15, 2018 Author Posted April 15, 2018 Thank you for all the great direction here. From reading I also understand we can either make our entire community SSL or just the login and commerce pages. I do not have any commerce in our community, no credit cards exchange through our community. With that being said should I only enable SSL for logging in to the community? We want to protect personal information such as emails and login information. From what I have read, to enable SSL site wide also uses valuable resources?
opentype Posted April 15, 2018 Posted April 15, 2018 3 minutes ago, JohnCourt said: With that being said should I only enable SSL for logging in to the community? No. And that option is removed anyway with 4.3. 3 minutes ago, JohnCourt said: We want to protect personal information such as emails and login information. Exactly. That’s why everything needs to be SSL. If you don’t have it, recent browsers will actively warn your users and tell them you site is insecure. 3 minutes ago, JohnCourt said: From what I have read, to enable SSL site wide also uses valuable resources? That’s mostly a myth.
Meddysong Posted May 1, 2018 Posted May 1, 2018 No, I don't think so. I've been getting that one a lot over the past week or so and I'm on SSL.
O9C4 Posted May 1, 2018 Posted May 1, 2018 Updated the Valid OAuth Redirect URIs (Facebook Login\Settings) to: as in Guides 4. Go to the Products > Facebook Login > Settings tab from the left sidebar. In the Valid OAuth redirect URIs field enter the value shown in your AdminCP, which will be your community's URL ending with "/oauth/callback/" on the end. You must click Save Changes at the bottom to save this. Then appeared the first Error again: Still nothing changed and the Error. It looks like all about the SSL. Use HTTPS Use HTTPS, instead of HTTP, as an internet protocol, because it uses encryption. HTTPS keeps transmitted data private and guards against eavesdropping attacks. It also prevents data from being tampered with during transmission by, for example, introducing advertisements or malicious code. https://developers.facebook.com/docs/facebook-login/security/#https and Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt. Does anyone tryed to obtain a free certificate for your domain(s) from Let's Encrypt?
Meddysong Posted May 1, 2018 Posted May 1, 2018 4 minutes ago, O9C4 said: Does anyone tryed to obtain a free certificate for your domain(s) from Let's Encrypt? I didn't use Let's Encrypt but I watched a YouTube video yesterday on uploading a free certificate from sslforfree.com to cPanel and then uploaded several certificates without a problem:
Recommended Posts
Archived
This topic is now archived and is closed to further replies.