1
azgi
enable https ssl for entire site
  • 2017/1/19 21:40

  • azgi

  • Just popping in

  • Posts: 2

  • Since: 2017/1/19


We are using XOOPS 2.5.4 on our site with Apache/2.2.15. We already have SSL certificate installed, and SSL login is enabled and works fine. However, if we try to browse the site using https address, much of the site is malformed and the content is still delivered via insecure http. I am wondering if there is a module or method to enable the use of HTTPS for the entire site? Or is this some configuration problem in apache ssl.conf?
Thanks

2
Dante7237
Re: enable https ssl for entire site
  • 2017/1/20 1:23

  • Dante7237

  • Friend of XOOPS

  • Posts: 294

  • Since: 2008/5/28


Search your theme directory for any "http" references and replace them with "https". Individual blocks that call for "http" should also be updated.
If there are any links to insecure http addresses you'll get the security warning.

3
geekwright
Re: enable https ssl for entire site

Make sure the definition of XOOPS_URL in mainfile.php has the https:// protocol.

4
azgi
Re: enable https ssl for entire site
  • 2017/1/20 21:22

  • azgi

  • Just popping in

  • Posts: 2

  • Since: 2017/1/19


Thanks but sorry i wasn't clear. I don't want to force https, but rather have the option to use https. Therefore there shouldn't be any specific definition of http nor https anywhere. Still i tried to put https in the XOOPS_URL and it still seems to be OK when using http and the page is not malformed anymore when using https, so maybe that is the solution. Still there are some content like images transferred over http so i will look into that later

5
geekwright
Re: enable https ssl for entire site

Switching back and forth is not considered best practice. It used to be common, but the current wisdom is "If an asset is available using HTTPS, always request it with that."

The XOOPS_URL define is (supposed to be) used to build all URLs. It is possible to hack mainfile.php to dynamically change the define on each invocation, but that is not recommended. There may be issues with that approach, particularly form caching that was not designed from the ground up to be scheme sensitive.

It of course is your call -- this is just my perspective on the issue

Quote:

azgi wrote:
Thanks but sorry i wasn't clear. I don't want to force https, but rather have the option to use https. Therefore there shouldn't be any specific definition of http nor https anywhere. Still i tried to put https in the XOOPS_URL and it still seems to be OK when using http and the page is not malformed anymore when using https, so maybe that is the solution. Still there are some content like images transferred over http so i will look into that later

6
cristian76
Re: enable https ssl for entire site
  • 2017/1/26 18:21

  • cristian76

  • Just popping in

  • Posts: 10

  • Since: 2010/8/18


This is important question, because Google wants to force the use of https
"From the end of January with Chrome 56, Chrome will mark HTTP sites that collect passwords or credit cards as non-secure. Enabling HTTPS on your whole site is important, but if your site collects passwords, payment info, or any other personal information, it's critical to use HTTPS. Without HTTPS, bad actors can steal this confidential data"

https://plus.google.com/+GoogleWebmasters/posts/iDUi5pCNuLZ

I have already received email from Google for my site with xoops forum

7
brutalicuss
Re: enable https ssl for entire site

Hi guys :)

Im not sure if the method "type hidden" in input fields is old or correct, at all, but I had warned by chrome56 (google wt) for this field in our search form:
<input type="hidden" name="action" value="results"/>
They thinks that this action in non ssl sites is non secured collection of user data, like passwds, card and etc.
So we should change this method in all themes to be "modern" and solicitous for the data of our users :)
Personaly, I changed with <input type="text" name="action" value="results" style="display:none"/> so far its no affect wc3 validation and chrome warnings (I hope)
If anyone have better or more correct way to do that, I think it will be useful for all

8
geekwright
Re: enable https ssl for entire site

First, Chrome 56 is discontinued. Chrome 58 is current for all platforms. I cannot replicate the problem you reported using a current version of Chrome. I recall seeing a notice in the past that came from a "post" (rather than "get") method search box, but that no longer seems to be an issue. Perhaps that was one of the numerous issues fixed since version 56.

Second, the change you suggest does not improve the security/risk potential in any way. The field still exists, and is still is being transported the same way.

9
brutalicuss
Re: enable https ssl for entire site

Yep, the same, both fields exist.. but I hope to cheat google as I remove "type=hidden". In all cases this warnings are improper, but are real and may harm our sites, for seo at least.

First I checked hows on in wordpress, they have removed "hidden", not exist in any field. Than I decide to remove it also, I dont know, maybe google just hate this word "hidden" :)

For browser version, I dont know what is actual, I use only firefox, but this security warning (in gwt) was only few days ago.

OK Im good tester and will test what will happen with "display:none" :)

10
Mamba
Re: enable https ssl for entire site
  • 2017/7/3 23:40

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


If you're looking for more info/advise, check out Richard's tutorial here:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=78277
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

Login

Who's Online

193 user(s) are online (110 user(s) are browsing Support Forums)


Members: 0


Guests: 193


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits