• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Potential issues with site-wide SSL

KenSmith

Active member
#1
I was thinking about implementing https sitewide when I finish my conversion to XenForo, but I wonder what kinds of headaches I will have.

For example, the recently released Firefox 23 blocks any active content requested via http from an https page.

For XenForo, I assume if users embed a YouTube video, the Iframe src will be http, and the content would be blocked.

I can't test that in the test forum here, because XenForo.com redirects https requests back to http.
And I don't have a real certificate yet to test on my site.

Is anyone running all-SSL at the moment? What kinds of issues have you had?
 

SamL

Active member
#7
I run site-wide SSL on my small private forum. No real issues and I redirect http to https. The BB Code Media Sites settings are the only things I had to change.

I edited the BB Code for each media site from http to httpS in each the site URL and the iframe. It seems to work fine, and threads that contain media links keep the ssl-lock-icon when just viewing the thread. If you play one of the embedded videos, each Chrome and Firefox drop the lock icon because the bitstream data itself is delivered via http even though it was requested from an https URL(details below). But as soon as I navigate away from the thread where I watched the video back to the index or any other thread, the lock icon returns and everything works fine.

Here's the statement from the YT API blog about it. -
Taken from YT API Blog said:
It’s very important to note that this is just a first step in enabling HTTPS for the entire YouTube viewing experience. In particular, only the YouTube player code is accessible via HTTPS at this time. The actual video bitstream, and some additional content loaded by the YouTube player may still be accessed via standard HTTP connections when you use an HTTPS URL in your embed code. Also note that HTTPS remains optional for YouTube embeds; we have no plans to turn off support for the HTTP URLs.
After a little more research, I found a workaround for this minor annoyance via an .htaccess re-write, as is described here. But I haven't gotten around to trying it yet.

It seems as though there is a very limited number of XF sites using https. It'll be interesting to see if there are more in the future.
 

DRE

Well-known member
#11
I run site-wide SSL on my small private forum. No real issues and I redirect http to https. The BB Code Media Sites settings are the only things I had to change.

I edited the BB Code for each media site from http to httpS in each the site URL and the iframe. It seems to work fine, and threads that contain media links keep the ssl-lock-icon when just viewing the thread. If you play one of the embedded videos, each Chrome and Firefox drop the lock icon because the bitstream data itself is delivered via http even though it was requested from an https URL(details below). But as soon as I navigate away from the thread where I watched the video back to the index or any other thread, the lock icon returns and everything works fine.

Here's the statement from the YT API blog about it. -


After a little more research, I found a workaround for this minor annoyance via an .htaccess re-write, as is described here. But I haven't gotten around to trying it yet.

It seems as though there is a very limited number of XF sites using https. It'll be interesting to see if there are more in the future.
I have forced SSL and I've had to make so many changes last night it was exhausting. Now I gotta change my bbcodes too?
 

silence

Well-known member
#12
I have forced SSL and I've had to make so many changes last night it was exhausting. Now I gotta change my bbcodes too?
What? Just change 'http' to 'https' I don't see any issue? The regex should pickup any youtube link and parse it.
 

Mick West

Well-known member
#17
I just made the change to full https today. There were a few issues to remove the mixed content warnings.
  • Lots of internal images, via my metamirror addon. I used the "replace in posts" tool to change all http://www.metabunk.org to https://www.metabunk.org. This took a few goes, as there were so many links.
  • Youtube etc needed the http: removed from the bb code, as above.
  • XenPorta post extracts on the front page still had the old image links, so I had to go to each one, then re-promote them from the promote options.
  • Don't forget the Board URL in Basic Board Information options.
  • Thread Thumbnails by Waindigo caches links to images. I've not figured out how to flush them yet.
But really quite trouble free. I can highly recommend it. Secure logins and browsing, nice green icon in Chrome, no noticeable speed change. Certificate was only $8/yr from Namecheap/Comodo. If you go with www.metabunk.org, they automatically add metabunk.org,
 

silence

Well-known member
#18
I just made the change to full https today. There were a few issues to remove the mixed content warnings.
  • Lots of internal images, via my metamirror addon. I used the "replace in posts" tool to change all http://www.metabunk.org to https://www.metabunk.org. This took a few goes, as there were so many links.
  • Youtube etc needed the http: removed from the bb code, as above.
  • XenPorta post extracts on the front page still had the old image links, so I had to go to each one, then re-promote them from the promote options.
  • Don't forget the Board URL in Basic Board Information options.
  • Thread Thumbnails by Waindigo caches links to images. I've not figured out how to flush them yet.
But really quite trouble free. I can highly recommend it. Secure logins and browsing, nice green icon in Chrome, no noticeable speed change. Certificate was only $8/yr from Namecheap/Comodo. If you go with www.metabunk.org, they automatically add metabunk.org,
I do this for my SSL certificate:
Get a premium subscription with CloudFlare.com ($25) or Incapsula.com ($9) and they give you a WILDCARD SSL certificate with a subscription. You get that plus all their caching features and supposed "security" measures.
 

DRE

Well-known member
#19
Site wide SSL killed the htaccess rewrite rules I made for my site in Better Blogs so I disabled it.

Plus you need multiple domain SSL which is more expensive to use the vanity urls feature of Better Blogs or else you''ll get warnings.

Sucks cause I really liked SSL. Made my site feel all professional and ish.
 

Mick West

Well-known member
#20
I do this for my SSL certificate:
Get a premium subscription with CloudFlare.com ($25) or Incapsula.com ($9) and they give you a WILDCARD SSL certificate with a subscription. You get that plus all their caching features and supposed "security" measures.
I actually dumped the free Cloudflare so I could use SSL cheaply. CF never really provided me with much noticeable benefit. The limiting factor seems to be dynamic pages, which CF does not cache. And after dropping CF and adding SSL, my site actually is a bit faster. YMMV. I'm on a 2GB Linode ~200 "Members online now", ~5,000 to 10,000 visitors a day, not that big compared to some.,