vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   Forcing vBulletin to use HTTPS (https://vborg.vbsupport.ru/showthread.php?t=274711)

IndigoSociety 11-27-2011 10:47 AM
Forcing vBulletin to use HTTPS
 
How would I convert my forum to run on HTTPS instead of HTTP?

Does vBulletin support this mainly out of the box? I can't find anything on this besides a "hacky" vbulletin.com forum post.

private_ale 11-27-2011 06:34 PM
It supports it. I would personally wait until the release of 4.1.10 as it fixes a inline-moderation bug relating to HTTPS. The only really vB-specific thing to change is the relevant values in the Site Name / URL / Contact Details section of the ACP to use "https://" instead of "http://".

Since you've omitted a good chunk of information (webserver configuration & control panel, if any) no one is going to be a able to help much.. So you'll have to contact your host about that. You will need a private IP address and a valid certificate, though.

It's not difficult.

techtech3d 06-03-2014 04:27 PM
This is a great question.

I've changed the Site links to https.

However the login box does not pop up in Firefox, Chrome, and IE as they all believe it's a security concern of http mixing with https.

In my .htaccess file I've forced all to https but no luck. I have PHP 5.4 running with Vbulltein 4.2.1 on a Linux setup.

Any ideas? (Clean browsers were used on various machines.)

squidsk 06-03-2014 07:55 PM
You likely have either a self-signed SSL certificate or a certificate that is not issued by a signing authority that is recognized by those web browsers, which means that every user will at least once be forced to see the message and click to continue on anyways.

techtech3d 06-08-2014 10:34 PM
@squidsk

Wanted to update. The HTTPS site was pulling an HTTP located ajax script.

Thus the browsers went crazy as HTTP and HTTPS were mixed for the users.

Thanks for the help!

tbworld 06-09-2014 12:09 AM
Quote:
Originally Posted by techtech3d (Post 2500561)
I have PHP 5.4 running with Vbulltein 4.2.1 on a Linux setup.
Just a reminder:

vb4.2.1 <--> php 5.3
vb4.2.2 <--> php 5.3, php 5.4

Unless you have personally modified your vb4.2.1 code you will run into some problems. :)

Dave 06-09-2014 08:38 AM
You also have to keep in mind that if any of your users include any images or external resources in their post, it will "break" the HTTPS since most of the time those external resources are being loaded over HTTP instead of HTTPS.

CAG CheechDogg 06-09-2014 03:11 PM
Quote:
Originally Posted by Dave (Post 2501225)
You also have to keep in mind that if any of your users include any images or external resources in their post, it will "break" the HTTPS since most of the time those external resources are being loaded over HTTP instead of HTTPS.
That is not true with images, with scripts it is, but images will still load fine if they are served from http instead of https ...

Dave 06-09-2014 03:49 PM
Quote:
Originally Posted by CAG CheechDogg (Post 2501264)
That is not true with images, with scripts it is, but images will still load fine if they are served from http instead of https ...
Of course it will load fine, but that doesn't mean your HTTPS connection is secure if you load HTTP images of an external server.

CAG CheechDogg 06-09-2014 06:29 PM
From what I understand, only those elements which are not on https are not encrypted, everything else that is behind https is .. unless you have actual documentation that what you are saying is true the purpose of having "your" content or elements behind https is for just that, to encrypt that which is behind https...

Dave 06-09-2014 06:57 PM
Quote:
Originally Posted by CAG CheechDogg (Post 2501301)
From what I understand, only those elements which are not on https are not encrypted, everything else that is behind https is .. unless you have actual documentation that what you are saying is true the purpose of having "your" content or elements behind https is for just that, to encrypt that which is behind https...
It's highly unlikely that someone will perform a MITM attack with mixed content, but it is possible. I'm talking about external resources though. (resources which are not hosted on the current domain)

http://www.troyhunt.com/2013/06/unde...d-content.html
https://support.google.com/chrome/answer/1342714?hl=en
https://community.qualys.com/blogs/s...y-to-break-ssl
http://webmasters.stackexchange.com/...-https-session
http://www.securitee.org/files/mixedinc_isc2013.pdf

CAG CheechDogg 06-09-2014 08:05 PM
Correct, but even images hosted on external domains behind only http dont do any harm, they are categorized as passive and all browsers do that, correct?

Browsers warn you that there is mixed content when you have content coming from outside non https hosted domains, that is just warning the users that downloading certain content may be dangerous but it's not necessarily dangerous which is the case with images.

So only those elements which are not behind http can pose a threat or be unencrypted ... that is how I understand it works.

Quote:
Today, almost all major browsers tend to break mixed content into two categories: passive for images, videos, and sound; and activefor more dangerous resources, such as scripts. They tend to allow passive mixed content by default, but reject active content. This is clearly a compromise between breaking the Web and reasonable security.

Zachery 06-10-2014 06:31 AM
Quote:
Originally Posted by CAG CheechDogg (Post 2501316)
Correct, but even images hosted on external domains behind only http dont do any harm, they are categorized as passive and all browsers do that, correct?

Browsers warn you that there is mixed content when you have content coming from outside non https hosted domains, that is just warning the users that downloading certain content may be dangerous but it's not necessarily dangerous which is the case with images.

So only those elements which are not behind http can pose a threat or be unencrypted ... that is how I understand it works.
Browsers with good security will block it from being loaded, until you give it the okay to be. That would be Firefox/IE. Not sure if chrome does that yet.

CAG CheechDogg 06-10-2014 07:04 AM
On my site no browser blocks images behind just http, any scripts yes especially iframes , but images always load up without having to give the ok ... that's on all the browsers ...

thetechgenius 06-22-2014 12:15 AM
My entire Vbulletin 4 forum is running though SSL/HTTPS, and it runs perfectly fine. I even installed some Optimized Addons to make the pages load faster.

I havent had any problems at all with running my forum on HTTPS.

Yeah, if someone posts an image from a site using HTTP with the Image BBCode, there will be a tiny little Yellow sign (Chrome) in your browser on top of the Padlock. But no one sees a Security Warning or anything like that. Honestly, you wouldn't even know about the Tiny Yellow Sign if you weren't looking for it, because it really isnt a big deal. If it was a big deal, the user will see a Big Security Warning before he or she enters the page.

But like I said, running SSL with vBulletin is fine. It runs really, really well. I have even setup my web.config (Windows Server 2008R2) to redirect users to HTTPS. So if they type in "mysite.com" in their address bar, it would redirect them to https://mysite.com.

I setup a Test Thread on my site, and I posted an image from tinypic.com that uses HTTP and not HTTPS.

Check it out for yourself:
https://thetechgenius.net/threads/4-Test-Thread

webmastersun 06-23-2014 02:15 AM
Quote:
Originally Posted by IndigoSociety (Post 2272338)
How would I convert my forum to run on HTTPS instead of HTTP?

Does vBulletin support this mainly out of the box? I can't find anything on this besides a "hacky" vbulletin.com forum post.
Using htaccess will be good way for this, do some researches for information. :)


All times are GMT. The time now is 06:13 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02289 seconds
  • Memory Usage 1,758KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (16)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete