100% SSL Redirect

[Ichneumon]

For the last 6 months or so Rage3D has been behind the Cloudflare CDN after the DDoS that was directed at the site for several days.

Since even then we've offered full SSL for the site and forums for all connections, but now it runs more smoothly. I've been looking at rewriting all HTTP requests to HTTPS and I think we're at a point we can move to having all connections forced to SSL.

I've been sorting out how to do the SSL URL rewrite without breaking anything and am putting this out there for user feedback before I pull the trigger.

 

[Kombatant]

I'd say go for it

 

[t3hl33td4rg0n]

Use LetsEncrypt, CertBot, and Apache to achieve this.

https://www.ethode.com/blog/using-let-s-encrypt-with-dotcms

Don't mind the dotCMS bit, but the rest should give you the instruction for setting up Apache to redirect any HTTP requests to HTTPS.

 

[Treeckcold57]

Yes, do it!

 

[daPhoenix]

Use LetsEncrypt, CertBot, and Apache to achieve this.

R3D runs on Windows and IIS so that's not going to work and the Windows version of Apache is crap

Looks like Ichi got a Comodo SSL cert for the site so that's valid for.. 6 months at a time? Can't remember how the free version went.

 

[DigitalDemon]

Looks like Ichi got a Comodo SSL cert for the site so that's valid for.. 6 months at a time? Can't remember how the free version went.

Rage3D appears to be running Cloudflare's free shared SSL cert by Comodo. It is a multi domain positive SSL cert, so 99 other sites share this cert.

Though, this also means we are running in flexible SSL mode, so client to Cloudflare is encrypted, but Cloudflare to origin server is not.

 

[daPhoenix]

Though, this also means we are running in flexible SSL mode, so client to Cloudflare is encrypted, but Cloudflare to origin server is not.

That being said, there's very little to gain here by encryption apart from user / pass.

I think the whole "EVERYTHING MUST BE ENCRYPTED" is pretty absurd for public forums, media and other content that simply has no value in being encrypted as it's free to view anyway.

I guess that's what you get when you have -isms running the show.

 

[DigitalDemon]

Encryption/SSL is much more important than you may realize, even for sites that are thought to contain little value in terms of actual content. It makes sure the content you are retrieving is the correct, un-tampered data. Without it, anyone with access to the data path between you and the server, say.. your ISP, is free to read and modify the data being transferred if they so desire.

Ad injection or censoring is unbelievably simple on unencrypted connections such as http where the packets and expected data is consistent and easy to manipulate. Home router software can even do it for your own connections such as squid, don't think that someone else higher up in the chain doesn't have the ability, they are already scraping as it is.

 

[daPhoenix]

Encryption/SSL is much more important than you may realize, even for sites that are thought to contain little value in terms of actual content. It makes sure the content you are retrieving is the correct, un-tampered data.

Your ISP can still use an interception proxy and you'll never know unless you examine certificates by hand.

Anyway that's pretty off topic here - personally I don't give a hoot if public forums like this are encrypted or not.

 

[DigitalDemon]

Your ISP can still use an interception proxy and you'll never know unless you examine certificates by hand.

Anyway that's pretty off topic here - personally I don't give a hoot if public forums like this are encrypted or not.

True, technically cloudflare's flexible SSL mode is an interception proxy itself. You could go with an overly expensive EV cert, but even then the majority of web users have no idea what that is.

 

[Ichneumon]

For what its worth, you can browse any of R3D as HTTPS today. I just don't force everyone to use SSL.

 

[Seyiji]

For what its worth, you can browse any of R3D as HTTPS today. I just don't force everyone to use SSL.

Changed my bookmark :3

 

[Talon_262]

Browsing the forums on the secure connection now...seems snappier than it's been here lately.

 

[Treeckcold57]

Thanks again. I just updated my bookmark on the bookmark bar.

 

[Seyiji]

Ichy-chan plz (づ￣ ³￣)づ ♥

Using https all embedded youtube videos produce a white square. When I change back to http I can view video's normally.

This is with Firefox 52.0.2 and no extensions or other crap snorlaxing my path.

Save me from this pain Ichy-chan (づ￣ ³￣)づ ♥

 

[0091/2]

For what its worth, you can browse any of R3D as HTTPS today. I just don't force everyone to use SSL.

Embedded youtube video won't load with HTTPS.

 

[Seyiji]

Embedded youtube video won't load with HTTPS.

That which was what I said in the above post is similar to this one

 

[Elysian]

Embedded youtube video won't load with HTTPS.

Yep, driving me nuts.