1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.2 Is it possible to run HTTP and HTTPS side by side?

Discussion in 'XenForo Questions and Support' started by HittingSmoke, Dec 2, 2013.

  1. HittingSmoke

    HittingSmoke Active Member

    I'd like to enable HTTPS for my site. I don't have, and am not quite ready to, get an SSL cert. This would be for the more tech minded people who are comfortable clicking through the cert error in the browser until I get certs in place.

    Unfortunately it seems all static content is either served through HTTP or HTTPS. It won't detect what protocol the user is connecting with meaning if you visit via HTTPS then no static content is displayed while the board URL is set to HTTP.

    Is there a way to get XenForo to generate links that are protocol agnostic so when loading from https://example.com then static content is served from https://example.com/static/content.jpg?
     
  2. Jeremy

    Jeremy XenForo Moderator Staff Member

    For one, you shouldn't run https without a certificate. Regardless of who the audience is for.

    Secondly, you will need to modify all link generation to be relative, so protocol remains. Thirdly, it will be easier to serve all images, css, and such over https, but you will still need to modify those calls to include https or use the protocol independent //uri method.
     
  3. HittingSmoke

    HittingSmoke Active Member

    That isn't actually true at all. Having a connection encrypted is beneficial even when you don't need to verify the source like with financial transactions. Not having a certificate doesn't negate any of the pluses of having your connection encrypted to prevent MITM snooping.

    So if I change my board URL to //example.com XenForo will serve the proper URLs over the established protocol or does this require further modification to the board?
     
  4. Jeremy

    Jeremy XenForo Moderator Staff Member

    Not including a protocol only works when you are requesting or including resources. //example.com is not a valid URL.

    Any sensible person will immediately leave a site when they get the warning about no certificate. If you want to run SSL and serve your site over HTTPS, you should do it properly and get a certificate.
     
  5. HittingSmoke

    HittingSmoke Active Member

    That's like saying any sensible person will immediately leave a site that isn't encrypted. It's not inherently less secure to access a site over HTTPS without a valid cert than it is to access a site unencrypted. If unencrypted connections are 0 and valid certs are 2 then encrypted with a self signed cert is a 1. It is inherently better than an unencrypted connection just by virtue of being encrypted.

    I'm so sick of this "valid" certificate fear mongering. As if a respected cert authority has never had their private key leaked or had fake certs reverse-engineered. There is absolutely great reasons to serve your web site over an encrypted connection without it being signed by a third party certificate issuer. Anyone who says otherwise doesn't understand a thing about the web. Just because your browser gives you a warning doesn't make it bad. Understand the underlying technology before you make statements like "any sensible person would...".
     
  6. Jeremy

    Jeremy XenForo Moderator Staff Member

    Did I say anything about using a third party? You can create a valid certificate yourself and avoid the errors. If a site owner cannot do that, I am perfectly fine leaving their site forever.

    Expecting to hit a site over SSL and not receive a certificate error isn't fear mongering. Those warnings and errors are in place for a reason.
     
  7. HittingSmoke

    HittingSmoke Active Member

    Self-signed certificates still produce browser warnings. You have to go through a THIRD PARTY certificate authority to get one that is "trusted" or you will get a warning. Furthermore, I explained in detail in my last post why one would be willing to use HTTPS through a certificate warning but instead of explaining why that isn't the case you just say it isn't fear mongering to not expect a certificate warning in the browser. They're "in place of a reason" isn't a valid argument against my point unless you can explain in detail why you believe it to be correct.

    I'm not sure you completely understand how SSL certs work. I don't want to have an argument. I asked a very specific question about the functionality of XenForo on a support forum. If you think an untrusted cert warning is cause to turn away from a site while every day you browse unencrpted sites then that's on you. I'm obviously not going to change your mind on the subject and I'm not going to write up an essay to explain why you're wrong. If you can't just provide an answer that is within the scope of how XenForo as a web app generates URLs internally then I'd request that you leave this thread to someone who can. This has become the opposite of helpful.
     

Share This Page