Jump to content

Invision Community Blog


Managing successful online communities

Charles
Sign in to follow this  
 

Avoiding Google Security Warnings

Google has recently been stressing that sites should use secure connections (served via HTTPS) whenever possible. They have recently also started warning sites that collect password on non-secure pages and will also be updating Google Chrome to warn users when a password is being entered on a non-secure page. You can read more information at Google and a good article on Ars Technica.

There are two ways on IPS Community Suite to avoid these alerts. Keep in mind that doing nothing will not cause you any problems, your site will still work, but users will get warnings and this may impact how people perceive joining your community.

 

Make your Community 100% Secure

The easiest option is to make every page on your IPS Community Suite use a secure connection. To do this you would need to ensure your web host has HTTPS support enabled on your site and then simply edit conf_global.php and change the URL field to https:// and that's it.

One thing to keep in mind is that your users, if you allow it, can still paste in links to externally hosted images which might not be secure. This does not impact the security of your site but it may generate a browser warning indicating your site has "mixed content" meaning some is secure and some is not. You can optionally enable the Image Proxy feature to make externally linked images route through a proxy on your local server to maintain 100% secure content.

Posting 2017-01-26 13-40-47.png

Image Proxy Options

 

Only Login/Registration Forms and AdminCP Secure

If you prefer not to use HTTPS for your entire site, we do have a setting to only use secure connections for login, registration, and AdminCP. 

Login Settings 2017-01-26 13-42-09.png

Use HTTPS for Logins and AdminCP

When the login-only secure option is enabled the quick login drop down is also disabled and instead users are sent to a full page to login. This is a small change required to avoid browser warnings. Although the quick login menu submits to a secure connection, the form field itself may show on a non-secure page which would generate a warning.

Forums - Invision Power Services 2017-01-26 13-44-09.png

Quick Login not Available when Login-Only HTTPS Setting Enabled

 

IPS Community in the Cloud

Those using IPS CiC can get secure connections for a $15 setup fee plus $5 month on our 40, 65 and 100 user Cloud plans. You can either bring your own certificate or we can provide one for you. On the 200, 450 and 750 plans, SSL is completely free - again, either your own or we can provide one.

Edited by Charles

Sign in to follow this  

Comments



Recommended Comments

Great, i did switch some of my sites to "complete https:" because of that "google warnings", my suites still working fine on https :)

I noticed, that they are still listed with "http://" in my ACP ("IPS-License Key") and in the Client-Area on InvisionPower.com - is this fine or will this cause problems (License, Autoupgrader, etc)?

Thanks

Edited by TheSonic
Typo

Share this comment


Link to comment
Share on other sites
11 minutes ago, TheSonic said:

Great, i did switch some of my sites to "complete https:" because of that "google warnings", my suites still woring fine on https :)

I noticed, that they are still listed with "http://" in my ACP ("IPS-License Key") and in the Client-Area on InvisionPower.com - is this fine or will this cause problems (License, Autoupgrader, etc)?

Thanks

That should be fine, but if you see any issues, just let us know. :) 

Share this comment


Link to comment
Share on other sites

Only Login/Registration Forms and AdminCP Secure

If you prefer not to use HTTPS for your entire site, we do have a setting to only use secure connections for login, registration, and AdminCP. 

 

I assume you need to have a SSL purchased on your server for this to work? What about Commerce? Is it covered by this option as well?

Share this comment


Link to comment
Share on other sites
Quote

The easiest option is to make every page on your IPS Community Suite use a secure connection. To do this you would need to ensure your web host has HTTPS support enabled on your site and then simply edit conf_global.php and change the URL field to https:// and that's it.

How long does it take for these changes to take effect? Because I've done all this but the https:// URL only works when I manually type it in for a page, it disappears and goes back to the old http:// URL when I browse to another page on my website.

Edit: I've created a support ticket for this (see #973199)

Edited by simonle

Share this comment


Link to comment
Share on other sites

I am running on HTTPS for a longer time but I still got a warning with is caused by the images. I tried to use the proxy settings you are recommending in the article but nothing happen. Should I open a ticket for this? I don't want to annoy the customer support with this kind of issue. ;)

Share this comment


Link to comment
Share on other sites

I know it's not the fault of IPS, but the remote image thing is disappointing.  I really like allowing people to post an image URL, but now my site will look unsecure?  I will be getting SSL certificates for both sites this weekend.

Share this comment


Link to comment
Share on other sites

@Charles, it looks like swapping the "Image Proxy" immediately caused "Too many connections" error on my site. Is that something to be expected?

I am working with my hosting support to see what I can do. If I can't access the front-end of the site, where should I look to switch this setting in the database?

Edited by Graeme S.

Share this comment


Link to comment
Share on other sites
11 minutes ago, opentype said:

(Not existing onces though.)

I wish IPS would add this feature. Xenforo has it built in out of the box. So I know it's possible to go though your old posts and fix them. Yes it works for all the new posts, but we really need it to go through ALL the posts. Please add this feature guys.

Share this comment


Link to comment
Share on other sites
Quote

The easiest option is to make every page on your IPS Community Suite use a secure connection. To do this you would need to ensure your web host has HTTPS support enabled on your site and then simply edit conf_global.php and change the URL field to https:// and that's it.

I did just this, and while my site now comes up as secure a whole whack of images (including a custom logo) are now missing.  Placeholders only. :(

Share this comment


Link to comment
Share on other sites
On 27/01/2017 at 7:22 PM, nodle said:

I wish IPS would add this feature. Xenforo has it built in out of the box. So I know it's possible to go though your old posts and fix them. Yes it works for all the new posts, but we really need it to go through ALL the posts. Please add this feature guys.

 

Assuming your hosting environment allows it, you can try adding this to your .htaccess file:

<IfModule mod_headers.c>
  Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS
</IfModule>

 

It should automatically upgrade any insecure (http) request to https automatically, assuming the user is using an update web browser that supports this header. In the event that an external resource doesn't support https then it will fail to show, which will preserve your secure status. :)

Share this comment


Link to comment
Share on other sites
On 1/28/2017 at 5:19 PM, liquidfractal said:

I did just this, and while my site now comes up as secure a whole whack of images (including a custom logo) are now missing.  Placeholders only. :(

Just in case anyone else has or may have this issue when switching to https, the issue in my case was resolved by adding rewrites to the root folder's .htaccess file:

RewriteCond %{HTTP_REFERER} !^https://liquidfractal.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://liquidfractal.org$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.liquidfractal.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.liquidfractal.org$ [NC]
etc.

 

Share this comment


Link to comment
Share on other sites

The easiest option is to make every page on your IPS Community Suite use a secure connection. To do this you would need to ensure your web host has HTTPS support enabled on your site and then simply edit conf_global.php and change the URL field to https:// and that's it.

One thing to keep in mind is that your users, if you allow it, can still paste in links to externally hosted images which might not be secure. This does not impact the security of your site but it may generate a browser warning indicating your site has "mixed content" meaning some is secure and some is not. You can optionally enable the Image Proxy feature to make externally linked images route through a proxy on your local server to maintain 100% secure content.

Posting 2017-01-26 13-40-47.png

Image Proxy Options

 

Where is this option under in the admin panel? Thanks.

Share this comment


Link to comment
Share on other sites
Quote

When the login-only secure option is enabled the quick login drop down is also disabled and instead users are sent to a full page to login.

In 3.4, enabling https login does not disabling quick login. Could anybody please tell me how to disable this?

Share this comment


Link to comment
Share on other sites
On 1/29/2017 at 5:29 PM, beeurd said:

 

Assuming your hosting environment allows it, you can try adding this to your .htaccess file:


<IfModule mod_headers.c>
  Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS
</IfModule>

 

It should automatically upgrade any insecure (http) request to https automatically, assuming the user is using an update web browser that supports this header. In the event that an external resource doesn't support https then it will fail to show, which will preserve your secure status. :)

I just added a SSL Certificate to my domain through Godaddy. I edited the URL in the global_config.php file and added the s after the http in the url. I rebuilt all of my cache. And my site still is not coming up on a PC but it does on my ipad.

I have a ticket (#975167) and have heard nothing from them yet. Where do I find my .htaccess file to edit it? I forgot.

Share this comment


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...