1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potential issues with site-wide SSL

Discussion in 'General XenForo Discussion and Feedback' started by KenSmith, Aug 20, 2013.

  1. KenSmith

    KenSmith Active Member

    I was thinking about implementing https sitewide when I finish my conversion to XenForo, but I wonder what kinds of headaches I will have.

    For example, the recently released Firefox 23 blocks any active content requested via http from an https page.

    For XenForo, I assume if users embed a YouTube video, the Iframe src will be http, and the content would be blocked.

    I can't test that in the test forum here, because XenForo.com redirects https requests back to http.
    And I don't have a real certificate yet to test on my site.

    Is anyone running all-SSL at the moment? What kinds of issues have you had?
  2. Jeremy

    Jeremy Well-Known Member

    Digital Point runs SSL.
  3. digitalpoint

    digitalpoint Well-Known Member

    No issues I know about... YouTube, Facebook and Vimeo we embed as HTTPS... {shrug}
  4. KenSmith

    KenSmith Active Member

    Sounds promising. Did you have to change the embed codes for that, or is it ready out of the box?
  5. digitalpoint

    digitalpoint Well-Known Member

    I think I just removed the "http:" part of the embed URL was all. Then it just uses whatever protocol your site is using.
    KenSmith likes this.
  6. Jesepi

    Jesepi Well-Known Member

    Skimlinks doesn't handle https currently if you use that. Not sure about viglink.
  7. SamL

    SamL Active Member

    I run site-wide SSL on my small private forum. No real issues and I redirect http to https. The BB Code Media Sites settings are the only things I had to change.

    I edited the BB Code for each media site from http to httpS in each the site URL and the iframe. It seems to work fine, and threads that contain media links keep the ssl-lock-icon when just viewing the thread. If you play one of the embedded videos, each Chrome and Firefox drop the lock icon because the bitstream data itself is delivered via http even though it was requested from an https URL(details below). But as soon as I navigate away from the thread where I watched the video back to the index or any other thread, the lock icon returns and everything works fine.

    Here's the statement from the YT API blog about it. -
    After a little more research, I found a workaround for this minor annoyance via an .htaccess re-write, as is described here. But I haven't gotten around to trying it yet.

    It seems as though there is a very limited number of XF sites using https. It'll be interesting to see if there are more in the future.
  8. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    I run all SSL too. In fact my Facebook forum I been working on runs double SSL, still with no issues as I run my own domain in SSL within a iframe of https://apps.facebook.com
  9. Puntocom

    Puntocom Well-Known Member

    I also run all SSL with NginX with this config and it works perfectly.
  10. silence

    silence Well-Known Member

    I run my site on HTTPS using camo-go to proxy all images. The mod is somewhere on the XF forum.
  11. DRE

    DRE Well-Known Member

    I have forced SSL and I've had to make so many changes last night it was exhausting. Now I gotta change my bbcodes too?
  12. silence

    silence Well-Known Member

    What? Just change 'http' to 'https' I don't see any issue? The regex should pickup any youtube link and parse it.
  13. DRE

    DRE Well-Known Member

    I have a lot of bb codes.
  14. silence

    silence Well-Known Member

    Oh lol did you just switch to https?
  15. DRE

    DRE Well-Known Member

    Yeah last night. My site feels different. Not used to seeking a lock icon while browsing from phone or computer. Pretty cool.
    silence likes this.
  16. DRE

    DRE Well-Known Member

  17. Mick West

    Mick West Well-Known Member

    I just made the change to full https today. There were a few issues to remove the mixed content warnings.
    • Lots of internal images, via my metamirror addon. I used the "replace in posts" tool to change all http://www.metabunk.org to https://www.metabunk.org. This took a few goes, as there were so many links.
    • Youtube etc needed the http: removed from the bb code, as above.
    • XenPorta post extracts on the front page still had the old image links, so I had to go to each one, then re-promote them from the promote options.
    • Don't forget the Board URL in Basic Board Information options.
    • Thread Thumbnails by Waindigo caches links to images. I've not figured out how to flush them yet.
    But really quite trouble free. I can highly recommend it. Secure logins and browsing, nice green icon in Chrome, no noticeable speed change. Certificate was only $8/yr from Namecheap/Comodo. If you go with www.metabunk.org, they automatically add metabunk.org,
  18. silence

    silence Well-Known Member

    I do this for my SSL certificate:
    Get a premium subscription with CloudFlare.com ($25) or Incapsula.com ($9) and they give you a WILDCARD SSL certificate with a subscription. You get that plus all their caching features and supposed "security" measures.
  19. DRE

    DRE Well-Known Member

    Site wide SSL killed the htaccess rewrite rules I made for my site in Better Blogs so I disabled it.

    Plus you need multiple domain SSL which is more expensive to use the vanity urls feature of Better Blogs or else you''ll get warnings.

    Sucks cause I really liked SSL. Made my site feel all professional and ish.
  20. Mick West

    Mick West Well-Known Member

    I actually dumped the free Cloudflare so I could use SSL cheaply. CF never really provided me with much noticeable benefit. The limiting factor seems to be dynamic pages, which CF does not cache. And after dropping CF and adding SSL, my site actually is a bit faster. YMMV. I'm on a 2GB Linode ~200 "Members online now", ~5,000 to 10,000 visitors a day, not that big compared to some.,

Share This Page