Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Awesome Donkey]

I didn't know where to post this, so I'll post it here for now.

For the fun of it, I've been testing this morning using the forums with its HTTPS address. For the most part, it's actually working pretty good, but I do notice a couple issues...

1. I can't set a HTTPS link for my avatar. I try to change my avatar's URL address from http://i.imgur.com/7u4jHqt.png to https://i.imgur.com/7u4jHqt.png (which is a valid link) causes the forum to reset to using no avatar at all. Reverting back to the HTTP link works. This is a known issue with SMF, which can be worked around: https://www.simplemachines.org/community/index.php?topic=551556.0 and http://www.simplemachines.org/community/index.php?topic=541642.0

2. The mixed content warnings. This is the big one, but it can be worked around as well. For SMF 2.0 an image proxy can be used. Or you guys can wait for SMF 2.1, which will support this built-in (when this is released as stable, is anyone's guess).

If those two issues are worked around, you can actually force enable HTTPS as the default for the forums.

The main site? IMO, I've done some testing there and everything looks good. You guys *could* force enable HTTPS on the main site already!

[bob]

I didn't know where to post this, so I'll post it here for now.

For the fun of it, I've been testing this morning using the forums with its HTTPS address. For the most part, it's actually working pretty good, but I do notice a couple issues...

1. I can't set a HTTPS link for my avatar. I try to change my avatar's URL address from http://i.imgur.com/7u4jHqt.png to https://i.imgur.com/7u4jHqt.png (which is a valid link) causes the forum to reset to using no avatar at all. Reverting back to the HTTP link works. This is a known issue with SMF, which can be worked around: https://www.simplemachines.org/community/index.php?topic=551556.0 and http://www.simplemachines.org/community/index.php?topic=541642.0

2. The mixed content warnings. This is the big one, but it can be worked around as well. For SMF 2.0 an image proxy can be used. Or you guys can wait for SMF 2.1, which will support this built-in (when this is released as stable, is anyone's guess).

If those two issues are worked around, you can actually force enable HTTPS as the default for the forums.

The main site? IMO, I've done some testing there and everything looks good. You guys *could* force enable HTTPS on the main site already!

Thanks for testing it. I'll probably do this soon. I noticed the mixed content stuff from the avatars, the image proxy seems like a reasonable solution.

[Awesome Donkey]

Another 'issue" I've noticed in Mozilla Firefox and Microsoft Edge (Google Chrome and Vivaldi is fine) is when I changed my bookmarks to the front page and the forums to HTTPS, it changed the favicons to a more brighter/vibrant version of the MC logo. It's strange, as for a while now I've noticed the favicons would randomly change in both of those browsers, but would revert back to the 'normal' favicon (which it didn't after changing the links to HTTPS). Hopefully there isn't two clashing favicons there.

Normal (Chrome, Vivaldi):



Strange (Firefox, Edge):



Basically they're inconsistent, when they should be consistent (in my opinion). It only affects the favicons for bookmarks, not the favicon in the tab (which appears normal).

Strange, huh?

[glynor]

For the record, I've been using HTTPS on Interact for more than a year. No substantial issues other than the mixed content issue (which Firefox doesn't make too much noise about so I ignore it).

[Hendrik]

I switched all my bookmarks to HTTPS a while ago as well, and as glynor the only issue that comes up is mixed content occasionally - and Chrome also doesn't make much noise about that, other then forgoing the green lock in the address bar.

[bob]

I'm going to be working on changing the forum today to redirect to https and fix those issues so there may be some interruptions.

[Awesome Donkey]

Best of luck!

Are you going to mod SMF to allow HTTPS links for avatars? That'd certainly would help a lot.

[bob]

Best of luck!

Are you going to mod SMF to allow HTTPS links for avatars? That'd certainly would help a lot.

Yes.
I've now forced it to https with a permanent redirect.
Next are the avatars.

[bob]

Yes.
I've now forced it to https with a permanent redirect.
Next are the avatars.

Ok, the avatars seem to work. My baseball one is loading offsite from a https now.

[bob]

Ok, the avatars seem to work. My baseball one is loading offsite from a https now.

Though there seems to be a bug in the theme code somewhere.
When I use the avatars from the forum, they appear in the header by the "Show unread posts..." etc.
When I use an offsite one, the header avatar goes away.

[Awesome Donkey]

Yep, confirmed. For example when trying to view my broken avatar, the link goes to https://yabb.jriver.com/interact/YaBBImages/avatars/https://i.imgur.com/7u4jHqt.png which doesn't exist (and is two URLs mixed).

Is there going to be an image proxy? That *should* get around images being served from only HTTP.

[bob]

Yep, confirmed. For example when trying to view my broken avatar, the link goes to https://yabb.jriver.com/interact/YaBBImages/avatars/https://i.imgur.com/7u4jHqt.png which doesn't exist (and is two URLs mixed).

Is there going to be an image proxy? That *should* get around images being served from only HTTP.

Yes, the image proxy is the next step however the bug you mentioned above should be fixable without that.
The avatar shows up fine in the message threads, it's only in the header that it's broken and that is a bug for all external URL's as far as I can see, not just the https ones.

[Awesome Donkey]

Just found out SMF 2.0.14 was released a couple weeks ago and it supports image proxy and HTTPS avatars! https://www.simplemachines.org/community/index.php?topic=553855.0 - I'd revert the 2.0.13 changes to support HTTPS avatars (since it *could* break upgrading) and try the upgrade and image proxy + HTTPS avatars.

That *should* hopefully address it once and for all.

[bob]

Just found out SMF 2.0.14 was released a couple weeks ago and it supports image proxy and HTTPS avatars! https://www.simplemachines.org/community/index.php?topic=553855.0 - I'd revert the 2.0.13 changes to support HTTPS avatars (since it *could* break upgrading) and try the upgrade and image proxy + HTTPS avatars.

That *should* hopefully address it once and for all.

Yes, I just tested it on our other forum and it seems to work fine.
Will back out the changes and upgrade this one...

[Awesome Donkey]

Good luck!

[bob]

Good luck!

Should be running now!

[Awesome Donkey]

Yep, the avatar works good now (and the avatar next to unread posts too, YAY!). Is the image proxy enabled? Still getting a mixed content warning here. Also there's a little something about it here: https://www.simplemachines.org/community/index.php?topic=553863.0

Excellent work, as always!

[bob]

Yep, the avatar works good now (and the avatar next to unread posts too, YAY!). Is the image proxy enabled? Still getting a mixed content warning here. Also there's a little something about it here: https://www.simplemachines.org/community/index.php?topic=553863.0

Excellent work, as always!

Just enabled the proxy.
Thanks!

[Awesome Donkey]

Working great now.

Welcome to the HTTPS/TLS train, everyone!

You guys can probably announce this somewhere since many would consider it a big deal.

[bob]

 

[Awesome Donkey]

Just checked all the links on the main site (including the Wiki) and looks like everything is using HTTPS now.

Does the http://files.jriver.com/ subdomain redirect to HTTPS for downloads? Might need to edit/change links to reflect HTTPS (and make sure MC itself can download updates from HTTPS). If it doesn't redirect, it might be good to jump to using HTTPS for downloads/updates in MC23.

But yeah, looks like everything is covered too. SMF's image proxy looks like it's fully working without issue too.

[Hendrik]

Files are hosted on Amazon, a bit more involved to get a correct https setup going for that.

[bob]

The update broken login (no problem if you never logout!).
It's fixed now.

[Hendrik]

Someone is having trouble with his avatar:
https://yabb.jriver.com/interact/index.php/topic,111021.0.html

[Awesome Donkey]

If he still has the source image, I can do some experimenting - I didn't test any GIFs though, but it *should* work if they're uploaded to a image sharing service like Imgur. I'll test it here in a second.

EDIT: GIFs work fine.

I guess I could write up a quick avatar tutorial if it's needed.

[marko]

I think I managed to sort mine this morning. See glynor's has gone awol too...

[Awesome Donkey]

Ah, you're right. Looks like the image proxy isn't working right now with a ERR_EMPTY_RESPONSE error.

Paging Bob!

[rudyrednose]

Thank you Bob, and everyone who pitched in...

[JimH]

Thank you Bob, and everyone who pitched in...

There's more security news here:
https://yabb.jriver.com/interact/index.php/topic,110982.0.html

[bob]

Ah, you're right. Looks like the image proxy isn't working right now with a ERR_EMPTY_RESPONSE error.

Paging Bob!

Ok, it's good now.
Thanks for the report.

[Awesome Donkey]

Confirmed, fixed!