xoops forums

azgi

Just popping in
Posted on: 1/19 21:40
azgi
azgi (Show more)
Just popping in
Posts: 2
Since: 1/19 21:29
#1

enable https ssl for entire site

We are using XOOPS 2.5.4 on our site with Apache/2.2.15. We already have SSL certificate installed, and SSL login is enabled and works fine. However, if we try to browse the site using https address, much of the site is malformed and the content is still delivered via insecure http. I am wondering if there is a module or method to enable the use of HTTPS for the entire site? Or is this some configuration problem in apache ssl.conf?
Thanks

Dante7237

Friend of XOOPS
Posted on: 1/20 1:23
Dante7237
Dante7237 (Show more)
Friend of XOOPS
Posts: 277
Since: 2008/5/28
#2

Re: enable https ssl for entire site

Search your theme directory for any "http" references and replace them with "https". Individual blocks that call for "http" should also be updated.
If there are any links to insecure http addresses you'll get the security warning.

geekwright

Quite a regular
Posted on: 1/20 2:28
geekwright
geekwright (Show more)
Quite a regular
Posts: 225
Since: 2010/10/15
#3

Re: enable https ssl for entire site

Make sure the definition of XOOPS_URL in mainfile.php has the https:// protocol.

azgi

Just popping in
Posted on: 1/20 21:22
azgi
azgi (Show more)
Just popping in
Posts: 2
Since: 1/19 21:29
#4

Re: enable https ssl for entire site

Thanks but sorry i wasn't clear. I don't want to force https, but rather have the option to use https. Therefore there shouldn't be any specific definition of http nor https anywhere. Still i tried to put https in the XOOPS_URL and it still seems to be OK when using http and the page is not malformed anymore when using https, so maybe that is the solution. Still there are some content like images transferred over http so i will look into that later

geekwright

Quite a regular
Posted on: 1/21 17:52
geekwright
geekwright (Show more)
Quite a regular
Posts: 225
Since: 2010/10/15
#5

Re: enable https ssl for entire site

Switching back and forth is not considered best practice. It used to be common, but the current wisdom is "If an asset is available using HTTPS, always request it with that."

The XOOPS_URL define is (supposed to be) used to build all URLs. It is possible to hack mainfile.php to dynamically change the define on each invocation, but that is not recommended. There may be issues with that approach, particularly form caching that was not designed from the ground up to be scheme sensitive.

It of course is your call -- this is just my perspective on the issue

Quote:

azgi wrote:
Thanks but sorry i wasn't clear. I don't want to force https, but rather have the option to use https. Therefore there shouldn't be any specific definition of http nor https anywhere. Still i tried to put https in the XOOPS_URL and it still seems to be OK when using http and the page is not malformed anymore when using https, so maybe that is the solution. Still there are some content like images transferred over http so i will look into that later

cristian76

Just popping in
Posted on: 1/26 18:21
cristian76
cristian76 (Show more)
Just popping in
Posts: 10
Since: 2010/8/18
#6

Re: enable https ssl for entire site

This is important question, because Google wants to force the use of https
"From the end of January with Chrome 56, Chrome will mark HTTP sites that collect passwords or credit cards as non-secure. Enabling HTTPS on your whole site is important, but if your site collects passwords, payment info, or any other personal information, it's critical to use HTTPS. Without HTTPS, bad actors can steal this confidential data"

https://plus.google.com/+GoogleWebmasters/posts/iDUi5pCNuLZ

I have already received email from Google for my site with xoops forum

brutalicuss

Not too shy to talk
Posted on: 4/30 13:59
brutalicuss
brutalicuss (Show more)
Not too shy to talk
Posts: 119
Since: 2012/6/9 1
#7

Re: enable https ssl for entire site

Hi guys :)

Im not sure if the method "type hidden" in input fields is old or correct, at all, but I had warned by chrome56 (google wt) for this field in our search form:
<input type="hidden" name="action" value="results"/>
They thinks that this action in non ssl sites is non secured collection of user data, like passwds, card and etc.
So we should change this method in all themes to be "modern" and solicitous for the data of our users :)
Personaly, I changed with <input type="text" name="action" value="results" style="display:none"/> so far its no affect wc3 validation and chrome warnings (I hope)
If anyone have better or more correct way to do that, I think it will be useful for all

geekwright

Quite a regular
Posted on: 5/1 15:54
geekwright
geekwright (Show more)
Quite a regular
Posts: 225
Since: 2010/10/15
#8

Re: enable https ssl for entire site

First, Chrome 56 is discontinued. Chrome 58 is current for all platforms. I cannot replicate the problem you reported using a current version of Chrome. I recall seeing a notice in the past that came from a "post" (rather than "get") method search box, but that no longer seems to be an issue. Perhaps that was one of the numerous issues fixed since version 56.

Second, the change you suggest does not improve the security/risk potential in any way. The field still exists, and is still is being transported the same way.

brutalicuss

Not too shy to talk
Posted on: 5/1 17:30
brutalicuss
brutalicuss (Show more)
Not too shy to talk
Posts: 119
Since: 2012/6/9 1
#9

Re: enable https ssl for entire site

Yep, the same, both fields exist.. but I hope to cheat google as I remove "type=hidden". In all cases this warnings are improper, but are real and may harm our sites, for seo at least.

First I checked hows on in wordpress, they have removed "hidden", not exist in any field. Than I decide to remove it also, I dont know, maybe google just hate this word "hidden" :)

For browser version, I dont know what is actual, I use only firefox, but this security warning (in gwt) was only few days ago.

OK Im good tester and will test what will happen with "display:none" :)

Mamba

Moderator
Posted on: 7/3 23:40
Mamba
Mamba (Show more)
Moderator
Posts: 10406
Since: 2004/4/23
#10

Re: enable https ssl for entire site

If you're looking for more info/advise, check out Richard's tutorial here:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=78277
Support XOOPS => DONATE
Use 2.5.9 | Docs | Modules | Bugs