https vs. http

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
Kyavion
Registered User
Posts: 22
Joined: Wed Jan 17, 2018 10:59 pm

https vs. http

Post by Kyavion » Tue Jan 23, 2018 1:20 am

In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http? I tried this and so far I don't notice any change.

User avatar
david63
Jr. Extension Validator
Posts: 14553
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: https vs. http

Post by david63 » Tue Jan 23, 2018 1:48 am

To use https you need to have a ssl certificate installed on your server for the domain that your phpBB board is on.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Selective
Registered User
Posts: 213
Joined: Sat Apr 19, 2014 10:30 am

Re: https vs. http

Post by Selective » Tue Jan 23, 2018 2:58 am

Kyavion wrote:
Tue Jan 23, 2018 1:20 am
In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http?
The https/http settings in the ACP (from my personal experience) will force which urls are required for login, and set the url default for all links posted in the forum using BBCodes or linking to internal pages in the forum.

However, It will not auto change the url address. To force change the url address, editing the .htaccess file needs to be done, but before the one for phpbb can be done, the one for your entire website has to be done first.

NOTE: If you set up the https without force changing all urls in the .htaccess files, then half of everyone visiting your forum will be blocked from registering/signing in, because if they are on the wrong url, that will prevent them and they won't know why because there are no messages to tell them.

bryan23
Registered User
Posts: 71
Joined: Thu Dec 28, 2017 2:16 pm

Re: https vs. http

Post by bryan23 » Tue Jan 23, 2018 7:59 am

david63 wrote:
Tue Jan 23, 2018 1:48 am
To use https you need to have a ssl certificate installed on your server for the domain that your phpBB board is on.
yes david63 is right, you need the SSL certificate for HTTPS:// secure connection. You can try to request from your host.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2726
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman » Tue Jan 23, 2018 1:54 pm

Kyavion wrote:
Tue Jan 23, 2018 1:20 am
In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http? I tried this and so far I don't notice any change.
"Force server URL settings:" uses variables obtained from the server, in almost all cases you will want this set to no. For example this may append the port to the domain. This needs to be properly configured on the server to work.

Server protocol should be https:// , this will make sure all internal links parsed by the script are using https e.g. topic titles, forum titles, breadcrumb etc. AFAIK it does not redirect http to https however If you load a http page all the internal links should be https links. To redirect http to https use htaccess file.

Server port in almost all cases will be 443 for https, 80 is for http.

As already mentioned you need a valid SSL certificate to use https. Without one your users will either get warning if the server has default certificate and will have toi make an exception or an error that there is no certificate.

Kyavion
Registered User
Posts: 22
Joined: Wed Jan 17, 2018 10:59 pm

Re: https vs. http

Post by Kyavion » Tue Jan 23, 2018 2:16 pm

Thanks for the feedback everyone. My plan on HostGator is the basic plan, which upon further research apparently doesn't provide for an option for https. How important is running https for a forum?

Since right now I can't purchase the certificate, should I still change the settings in the ACP to reflect https and 443 instead of 80 for the port?

So if a user wants, does typing "https" in the URL provide the same security as if I had the certificate?

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19699
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably . . .

Re: https vs. http

Post by Mick » Tue Jan 23, 2018 2:21 pm

You cannot use https if you don’t have an ssl certificate so your settings should stay as they are.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2726
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman » Tue Jan 23, 2018 3:07 pm

Kyavion wrote:
Tue Jan 23, 2018 2:16 pm
Thanks for the feedback everyone. My plan on HostGator is the basic plan, which upon further research apparently doesn't provide for an option for https. How important is running https for a forum?
Without it browsers are going to issue warnings on things like the login box. The reason for this is for example suppose the user is using public wifi, someone with access to the router could obtain their login credentials.
Since right now I can't purchase the certificate, should I still change the settings in the ACP to reflect https and 443 instead of 80 for the port?
I would suggest leaving it as it is.
So if a user wants, does typing "https" in the URL provide the same security as if I had the certificate?
Firstly if you do not have valid certificate this would require a default or self signed certificate. If a default certificate is present the user will get a warning page and will specifically need to make an exception to view the site over https. This is useful if for example you yourself want to access the site over https to perform administration tasks. It will protect your login credentials from third parties*. Not so useful for your visitors.

This is secure as far as the communication between your browser and the server is concerned but going back to the public wifi example someone could spoof a site in which case it would not be your server you were communicating with. Not such a huge threat for minor site but a very big deal if it was banking site.

Kyavion
Registered User
Posts: 22
Joined: Wed Jan 17, 2018 10:59 pm

Re: https vs. http

Post by Kyavion » Tue Jan 30, 2018 12:54 am

Thanks for the replies and explanations. So when I manually type in "https://" followed by my site URL, there is a lock symbol prior to my site address. What does that symbol indicate exactly? Sorry if this isn't sinking in for me.

User avatar
Lumpy Burgertushie
Registered User
Posts: 64662
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: https vs. http

Post by Lumpy Burgertushie » Tue Jan 30, 2018 1:39 am

you need to contact your host to see what they are doing about ssl on your account.

if you use https in the url to your site and you do not have a SSL installed ( even a free one from your hosting ) then it will most likely throw some errors somewhere.

contact hostgator and see if they offer a free ssl certificate for your account.

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2726
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman » Tue Jan 30, 2018 2:00 pm

Kyavion wrote:
Tue Jan 30, 2018 12:54 am
Thanks for the replies and explanations. So when I manually type in "https://" followed by my site URL, there is a lock symbol prior to my site address. What does that symbol indicate exactly? Sorry if this isn't sinking in for me.
If there is a lock of any kind that means the connection between the browser and server is encrypted.

If the lock is green that means you have a valid certificate for that domain, the certificate is validated by trusted third party. Communication between the browser and the server is both encrypted and secure because you know the domain content is valid.

If the lock is green but there is a any other icons like exclamation point or it's not green there is something wrong. For example if you have an image embedded that is not from a secure connection it will cause this. If the certificate is self signed it will also cause this.

A self signed certificate will give warnings to your users and they will need to make an exception to load the page. It's only useful if for example you yourself want to use it for encrypted communication.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2726
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman » Tue Jan 30, 2018 2:11 pm

Lumpy Burgertushie wrote:
Tue Jan 30, 2018 1:39 am
if you use https in the url to your site and you do not have a SSL installed ( even a free one from your hosting ) then it will most likely throw some errors somewhere.
SSL will fail to load the page at all without a certificate installed but typically there is self signed or default certificates.

There is many option for "free" valid certificates and they should not throw an error in anyway. WHM/Cpanel for example will automatically obtain and apply valid certificates out of the box.

https://blog.cpanel.com/autossl/

If you are using Cpanel on shared host and they are charging you for the certificate then they are charging you $X for something that takes about 10 seconds. It's set and forget.

Kyavion
Registered User
Posts: 22
Joined: Wed Jan 17, 2018 10:59 pm

Re: https vs. http

Post by Kyavion » Tue Feb 06, 2018 12:01 am

Yes, my host is charging for the SSL certificate. Any chance you can point me in the direction of any docs that explain how to get and set up a "free" cert?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2726
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: https vs. http

Post by thecoalman » Tue Feb 06, 2018 12:51 am

How you install the certificate depends on the hosting control panel/server and may not be possible at all if the host has removed that option. You'll need to consult your hosts documentation and the documentation for your hosting control panel to install one.

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: andares, Brf, Crizzo, Neverlands, stevemaury, stupiduck and 37 guests