Who uses SSL with XenForo?

[Deebs]

Is this the default config? I'm going to test this over the weekend, post it here so we do it together.

Are you on a Redhat based distro? I personally re-compiled all web dependent rpm's with 1.0.1c (Nginx, PHP, MariaDB, Sphinx, etc.) and kept the 0.9.8e libs for the OS deps. See why and how I did it in my tutorial.

Default config at the moment. Everything working correctly. All non ssl images are being converted to ssl via the camo proxy.

No, for this I am running on ubuntu so using my own stuff compiled from source.

 

[Floren]

Aha, thanks.

 

[Floren]

Implementing Node/V8 is a breeze, I would not be bothering to maintain an RPM as is provided by the Node guys.

I was wrong... the Redhat repo is not maintained at all. They push v8-3.6.6 which is pretty old and compiled with the deprecated scons maker. I compiled yesterday v8-3.12.16 for Redhat 5 and 6, with Google's GYP. I'm awaiting a reply from the dev team to see if we still need the libv8preparser library. Then, I will tackle the nodejs and npm RPM's so we are game for camo setup.

Anyone made progress on the initial setup? I'm still waiting for some feedback from you guys.

 

[whyweprotest]

I was wrong... the Redhat repo is not maintained at all. They push v8-3.6.6 which is pretty old and compiled with the deprecated scons maker. I compiled yesterday v8-3.12.16 for Redhat 5 and 6, with Google's GYP. I'm awaiting a reply from the dev team to see if we still need the libv8preparser library. Then, I will tackle the nodejs and npm RPM's so we are game for camo setup.

Anyone made progress on the initial setup? I'm still waiting for some feedback from you guys.

I've been running it for months, the only thing you might want to do is remove the FS bit at the bottom since it doesn't work half the time and is pretty much unnecessary.

 

[Floren]

What I'm trying to determine first is: What is the minimum python version nodejs wafadmin can run on?
I'm building the nodejs packages for CentOS 5 and I want to make sure it can run on 2.4.3+. There are several scripts that still point to 2.4 env so I'm not sure... Thanks for letting me know, guys.

 

[account8226]

I uses SSL with my admin.php only.

 

[whyweprotest]

What I'm trying to determine first is: What is the minimum python version nodejs wafadmin can run on?
I'm building the nodejs packages for CentOS 5 and I want to make sure it can run on 2.4.3+. There are several scripts that still point to 2.4 env so I'm not sure... Thanks for letting me know, guys.

I use the debian stable package so won't be of much help there.

 

[Floren]

I use the debian stable package so won't be of much help there.

No prob. I'm awaiting a reply from nodejs devs, hopefully we will clear that last part.
Now, back to camo. In their wiki, they post this:

Start the server
% coffee server.coffee

In another shell
% rake

Deployment
% coffee -c server.coffee
% /usr/bin/env PORT=9090 CAMO_KEY="<my application key>" node server.js

This is all Chinese to me, except the node server.js part. What are those coffee commands?
Never mind is the coffee-script, you install it with npm. Can anyone post what exactly they did with camo to set it up? I don't care if is Debian or other distro, I'll figure it out.

For example, what camo key you used? Is that the ssl certificate key you have on server?

 

[whyweprotest]

No prob. I'm awaiting a reply from nodejs devs, hopefully we will clear that last part.
Now, back to camo. In their wiki, they post this:

This is all Chinese to me, except the node server.js part. What are those coffee commands?
Never mind is the coffee-script, you install it with npm. Can anyone post what exactly they did with camo to set it up? I don't care if is Debian or other distro, I'll figure it out.

For example, what camo key you used? Is that the ssl certificate key you have on server?

I use a hex key that you can set in the server.js, I don't run the coffee script. What I did is setup monit to check node's status every 5 minutes and reload/ restart if it doesn't respond 200.

 

[Floren]

I see... how did you generated the new key, like that?

$ echo -n 'value' | openssl sha1 -hmac 'mysite.com'
(stdin)= f331eb9012e17e034e52980cca40fa76b1e424bc

I dont think so, the format is: 0x24FEEDFACEDEADBEEFCAFE
Let me know please. I planned to create a wrapper that executes both commands as daemon. From what I see the server.coffee does the same thing as server.js, runs as daemon, processes all predefined params, pid, etc.

You could pass that key (as well other params) without editing the server.js, no?

/usr/bin/env PORT=9090 CAMO_KEY="0x24FEEDFACEDEADBEEFCAFE" node server.js

 

[whyweprotest]

I see... how did you generated the new key, like that?

$ echo -n 'value' | openssl sha1 -hmac 'mysite.com'
(stdin)= f331eb9012e17e034e52980cca40fa76b1e424bc

I dont think so, the format is: 0x24FEEDFACEDEADBEEFCAFE

I works for me.

Let me know please. I planned to create a wrapper that executes both commands as daemon. From what I see the server.coffee does the same thing as server.js, runs as daemon, processes all predefined params, pid, etc.

Right, they do the same thing

You could pass that key (as well other params) without editing the server.js, no?

/usr/bin/env PORT=9090 CAMO_KEY="0x24FEEDFACEDEADBEEFCAFE" node server.js

Possibly, I don't see why you would want to do that, but you can likely do that yes.

 

[Floren]

It works for me.

I looked and that key acts more like a salt into file. Thanks for confirming.

Possibly, I don't see why you would want to do that, but you can likely do that yes.

Well, that command should be into a .js file, where you can define all params you want. I'm looking at other npm packages and camo should be packed the same. I will ask the dev and let you know.

 

[rdn]

I was wondering if there are any users who have enabled SSL on their forums.

I recently switched one of my client's SSL to elliptic curves (EC) and the performance gains are simply stunning.
Pages load at least 50% faster, while the server load is reduced. Basically, is the same type of ciphers used on Google https sites.

Current setup uses OpenSSL 1.0.1c (EC enabled and combined with Google's 64-bit hacks/patches), Nginx 1.2.0, MariaDB 5.2.12 and PHP 5.3.13 running on CentOS 5.8. First thing I noticed was the improved First Byte time, under 2000ms for across the ocean requests.

As far as I know, I did not see anywhere else the elliptic curve ciphers implemented beside Google.
Not even Facebook has it, which surprises me a lot:

View attachment 29477 View attachment 29478 View attachment 29479 View attachment 29480

Please let me know what ciphers you use on your site and how do you find the overall performance with them.
If you could post some numbers, it will be great.

Do you mind creating tutorials on how to implement ssl/https fully into xenforo?

 

[Anthony Parsons]

Do you mind creating tutorials on how to implement ssl/https fully into xenforo?

There is nothing more to do implementing HTTPS than adding a htaccess redirect to force HTTPS. Most of the above discussion is about trying to optimise the server to deliver HTTPS that minute bit faster.

You change your ACP URL to https and you force it in your htaccess... that's it.

 

[rdn]

There is nothing more to do implementing HTTPS than adding a htaccess redirect to force HTTPS. Most of the above discussion is about trying to optimise the server to deliver HTTPS that minute bit faster.

You change your ACP URL to https and you force it in your htaccess... that's it.

My problem now is Google Adsense
How can I use it on https without modifying the code.

 

[Mike Edge]

My problem now is Google Adsense
How can I use it on https without modifying the code.

remove the http: so it is just "//pagead2.google etc etc

 

[rdn]

remove the http: so it is just "//pagead2.google etc etc

Not violating google policies?

 

[DRE]

I'm pretty sure nobody beside Axivo Repository has the Google 64bits optimization implemented. I think is done this way just for packaging uniformity, Google optimization is available since OpenSSL 1.0.0 version but only for 64bits platforms. Axivo provides only 64bits packages,Nobody runs a serious setup on 32bits machines.

Compared to previous RSA tests on OpenSSL, the Google optimized ephemeral Elliptic Curve Diffie-Hellman key exchange over P-224 runs at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster in 1.0.1c version.

In addition, the implementation is immune to timing attacks. Axivo SSL setup gets a 90 score on SSL Labs, close to Google score. Not to bash vBulletin.com but is unfortunate they run a weak setup. Even if they get an 88 score, their site is vulnerable to Beast, DDoS and MITM attacks.

Comparison of keys between the two RPM sets (without EC, FIPS enabled on axivoplus repo and with EC Google optimized for 64bits, FIPS disabled on axivo repo):

View attachment 29729

I've created both packages, in case some people will not be allowed to legally use EC in their country/setup. For example, Google SSL sites do not run a built-in FIPS OpenSSL package mainly because FIPS is not compatible with EC.

If anyone have law knowledge related to EC usage on a website, I would appreciate some feedback. It will help all of us. Personally, I've put a disclaimer just to protect myself. Technically, Axivo allows you to install whatever flavor you think is appropriate for your country/website (Debian or Redhat).

guess that counts me out at the moment. Knownhost ssd vps only has 32bit OS

 

[Mike Edge]

guess that counts me out at the moment. Knownhost ssd vps only has 32bit OS

OpenSSL supports 32 bit

 

[DRE]

OpenSSL supports 32 bit

Does it have that EC curve thingy he was talking about? It sounds so cool especially if it makes a site faster.