https vs. http

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
Kyavion
Registered User
Posts: 31
Joined: Wed Jan 17, 2018 10:59 pm

https vs. http

Post by Kyavion »

In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http? I tried this and so far I don't notice any change.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: https vs. http

Post by david63 »

To use https you need to have a ssl certificate installed on your server for the domain that your phpBB board is on.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
Selective
Registered User
Posts: 213
Joined: Sat Apr 19, 2014 10:30 am

Re: https vs. http

Post by Selective »

Kyavion wrote: Tue Jan 23, 2018 1:20 am In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http?
The https/http settings in the ACP (from my personal experience) will force which urls are required for login, and set the url default for all links posted in the forum using BBCodes or linking to internal pages in the forum.

However, It will not auto change the url address. To force change the url address, editing the .htaccess file needs to be done, but before the one for phpbb can be done, the one for your entire website has to be done first.

NOTE: If you set up the https without force changing all urls in the .htaccess files, then half of everyone visiting your forum will be blocked from registering/signing in, because if they are on the wrong url, that will prevent them and they won't know why because there are no messages to tell them.
bryan23
Registered User
Posts: 102
Joined: Thu Dec 28, 2017 2:16 pm

Re: https vs. http

Post by bryan23 »

david63 wrote: Tue Jan 23, 2018 1:48 am To use https you need to have a ssl certificate installed on your server for the domain that your phpBB board is on.
yes david63 is right, you need the SSL certificate for HTTPS:// secure connection. You can try to request from your host.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman »

Kyavion wrote: Tue Jan 23, 2018 1:20 am In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http? I tried this and so far I don't notice any change.
"Force server URL settings:" uses variables obtained from the server, in almost all cases you will want this set to no. For example this may append the port to the domain. This needs to be properly configured on the server to work.

Server protocol should be https:// , this will make sure all internal links parsed by the script are using https e.g. topic titles, forum titles, breadcrumb etc. AFAIK it does not redirect http to https however If you load a http page all the internal links should be https links. To redirect http to https use htaccess file.

Server port in almost all cases will be 443 for https, 80 is for http.

As already mentioned you need a valid SSL certificate to use https. Without one your users will either get warning if the server has default certificate and will have toi make an exception or an error that there is no certificate.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Kyavion
Registered User
Posts: 31
Joined: Wed Jan 17, 2018 10:59 pm

Re: https vs. http

Post by Kyavion »

Thanks for the feedback everyone. My plan on HostGator is the basic plan, which upon further research apparently doesn't provide for an option for https. How important is running https for a forum?

Since right now I can't purchase the certificate, should I still change the settings in the ACP to reflect https and 443 instead of 80 for the port?

So if a user wants, does typing "https" in the URL provide the same security as if I had the certificate?
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26502
Joined: Fri Aug 29, 2008 9:49 am

Re: https vs. http

Post by Mick »

You cannot use https if you don’t have an ssl certificate so your settings should stay as they are.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman »

Kyavion wrote: Tue Jan 23, 2018 2:16 pm Thanks for the feedback everyone. My plan on HostGator is the basic plan, which upon further research apparently doesn't provide for an option for https. How important is running https for a forum?
Without it browsers are going to issue warnings on things like the login box. The reason for this is for example suppose the user is using public wifi, someone with access to the router could obtain their login credentials.
Since right now I can't purchase the certificate, should I still change the settings in the ACP to reflect https and 443 instead of 80 for the port?
I would suggest leaving it as it is.
So if a user wants, does typing "https" in the URL provide the same security as if I had the certificate?
Firstly if you do not have valid certificate this would require a default or self signed certificate. If a default certificate is present the user will get a warning page and will specifically need to make an exception to view the site over https. This is useful if for example you yourself want to access the site over https to perform administration tasks. It will protect your login credentials from third parties*. Not so useful for your visitors.

This is secure as far as the communication between your browser and the server is concerned but going back to the public wifi example someone could spoof a site in which case it would not be your server you were communicating with. Not such a huge threat for minor site but a very big deal if it was banking site.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Kyavion
Registered User
Posts: 31
Joined: Wed Jan 17, 2018 10:59 pm

Re: https vs. http

Post by Kyavion »

Thanks for the replies and explanations. So when I manually type in "https://" followed by my site URL, there is a lock symbol prior to my site address. What does that symbol indicate exactly? Sorry if this isn't sinking in for me.
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: https vs. http

Post by Lumpy Burgertushie »

you need to contact your host to see what they are doing about ssl on your account.

if you use https in the url to your site and you do not have a SSL installed ( even a free one from your hosting ) then it will most likely throw some errors somewhere.

contact hostgator and see if they offer a free ssl certificate for your account.

robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman »

Kyavion wrote: Tue Jan 30, 2018 12:54 am Thanks for the replies and explanations. So when I manually type in "https://" followed by my site URL, there is a lock symbol prior to my site address. What does that symbol indicate exactly? Sorry if this isn't sinking in for me.
If there is a lock of any kind that means the connection between the browser and server is encrypted.

If the lock is green that means you have a valid certificate for that domain, the certificate is validated by trusted third party. Communication between the browser and the server is both encrypted and secure because you know the domain content is valid.

If the lock is green but there is a any other icons like exclamation point or it's not green there is something wrong. For example if you have an image embedded that is not from a secure connection it will cause this. If the certificate is self signed it will also cause this.

A self signed certificate will give warnings to your users and they will need to make an exception to load the page. It's only useful if for example you yourself want to use it for encrypted communication.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman »

Lumpy Burgertushie wrote: Tue Jan 30, 2018 1:39 am if you use https in the url to your site and you do not have a SSL installed ( even a free one from your hosting ) then it will most likely throw some errors somewhere.
SSL will fail to load the page at all without a certificate installed but typically there is self signed or default certificates.

There is many option for "free" valid certificates and they should not throw an error in anyway. WHM/Cpanel for example will automatically obtain and apply valid certificates out of the box.

https://blog.cpanel.com/autossl/

If you are using Cpanel on shared host and they are charging you for the certificate then they are charging you $X for something that takes about 10 seconds. It's set and forget.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Kyavion
Registered User
Posts: 31
Joined: Wed Jan 17, 2018 10:59 pm

Re: https vs. http

Post by Kyavion »

Yes, my host is charging for the SSL certificate. Any chance you can point me in the direction of any docs that explain how to get and set up a "free" cert?
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman »

How you install the certificate depends on the hosting control panel/server and may not be possible at all if the host has removed that option. You'll need to consult your hosts documentation and the documentation for your hosting control panel to install one.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “[3.2.x] Support Forum”