http(s) mixed content

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

http(s) mixed content

Post by millipede » Wed Aug 22, 2018 1:17 am

First, a more serious(but not a big deal) question.
I recently switched to https and I still have a lot to get sorted out.
There's still not a green lock in the address bar because of mixed content. with that, I'm wondering if that's http images or other content on the board... OR, would it display that while browsing the forum if the mixed content is ANYWHERE else on the site(not the forum part)?
I have a LOT of links to fix for the pages but want to try not to miss anything on the forum...

With that... I found an interesting crawler visiting my site just now. When I see one, before I go search it I go ahead and list it with the rest of the bots so it should hopefully be limited to what bots can only do. I don't know if that makes a big difference or not.
But this was the Gluten Free Crawler

Mozilla/5.0 (compatible; Gluten Free Crawler/1.0; +http://glutenfreepleasure.com/)

Go to the website, the description for that crawler was worth reading... :lol:

Doesn't really let me know what it intends to do with data it's crawling but at least I got a laugh out of it.
Last edited by Mick on Sat Aug 25, 2018 7:13 am, edited 2 times in total.
Reason: Marked as solved.

User avatar
AmigoJack
Registered User
Posts: 5350
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: gluten free

Post by AmigoJack » Wed Aug 22, 2018 7:31 am

millipede wrote:
Wed Aug 22, 2018 1:17 am
There's still not a green lock in the address bar because of mixed content
That's already the reason. If your internet browser is not giving you morer details or unable to list which resources are loaded thru that very site you accessed then consider using other software. It's about content - any, not just pictures. It's about the site that was queried, not all sites of your/any website.
millipede wrote:
Wed Aug 22, 2018 1:17 am
Mozilla/5.0 (compatible; Gluten Free Crawler/1.0; +http://glutenfreepleasure.com/)
Old one, encountered that at least one year ago already. It is just like any other crawler: searching for specific information. Now it might be funny to you, but if you stick to looking for useragents yet unknown to you it will shift to being boring, then enerving. Countless bots don't identify as bots, including a couple from Google.
The worst thing about censorship is ███████████

User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

Re: gluten free

Post by millipede » Wed Aug 22, 2018 4:44 pm

If your internet browser is not giving you morer details or unable to list which resources are loaded thru that very site you accessed then consider using other software.
I checked in puffin browser, doesn't even show that it's mixed content. But I use firefox mostly and it says "such as images" as a possibility but doesn't list what the mixed content is that's "unsecure."
I'm getting the mixed content lock when viewing my board. It may not be hugely important but I would like to find out what it is.

I ran into a bigger problem, I believe. I thought I'd check with IE to see if it listed anything and, it will not load my board.
This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://www.byfellowship.com again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Does this mean that anyone using IE cannot view my board? That's not good. I went into the advanced settings and TLS options they mentioned are all checked. Does this mean that it's using RC4(I don't actually understand any of this stuff really)? And if so... what do I do about it?

This started out being something I wasn't too worried about but, now I'm glad I checked on this or else I don't know when I would have discovered that IE users might not be able to view the board.

EDIT: Looking at some searches, the internet is suggesting that firefox stopped supporting RC4 with version 44. I'm using FF 61 so... is it possible that IE is not displaying the page for another reason? I may have to check this on some other computers. Frustrating though... :(

More searching, found ssllabs and ran a test... shows TLS 1.2 being used... and MOST browsers had no problem... but...
IE 11 for win 7 through 8.1 (win 10 was fine) and Safari 6 through 8 all get the following error
Server sent fatal alert: handshake_failure
So now I have to figure out why... and what to do about it. I will keep searching. If anyone has thoughts, let me know.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20237
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: gluten free

Post by Mick » Wed Aug 22, 2018 6:05 pm

I think you’re wasting your time looking for IE11 solutions, it’s at EOL although it is being supported by security updates and minimum technical support as long as security updates are being generated. Basically it’s dying and MS are happy to see it go by the looks of things.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

Re: gluten free

Post by millipede » Wed Aug 22, 2018 6:20 pm

Mick wrote:
Wed Aug 22, 2018 6:05 pm
I think you’re wasting your time looking for IE11 solutions,
I rarely ever use it personally but, lots of people in the world use all sorts of old browsers they shouldn't. And older safari versions aren't working according to the test. I wouldn't mind seeing IE go away myself but, if anyone out there is using it, tries to visit my site... if that's the browser they're using, I can't think of someone saying "I better find a new browser JUST for this website..."
So if I can find a solution, I'll be happy. I wont lose any sleep over it in the meantime but would still like to sort it out.

I could message my host about it but I'm not quite sure what kind of back and forth I'll go through without getting real answers. It's not exactly their issue.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20237
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: gluten free

Post by Mick » Wed Aug 22, 2018 6:41 pm

But . . .

Nobody else seems to be having the issue so I think I’d point my stick at server set up. I’ve just tried IE on two other boards I use without problems so what do you do, I’ll bet your host would blow you off saying IE is out of date.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
Lumpy Burgertushie
Registered User
Posts: 65185
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: gluten free

Post by Lumpy Burgertushie » Wed Aug 22, 2018 7:24 pm

I get the same screen when accessing your site using IE11
in firefox 60 it works just fine.

this is most likely going to be something with your host's setup of whatever that TLS is. I read just the other day that TLS 1.3 is not working properly yet so maybe your host has upgraded to TLS 1.3 and has not set it all up correctly or something.

contact your host.

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

Re: gluten free

Post by millipede » Wed Aug 22, 2018 7:41 pm

just checked something... definitely worth checking with my host...
I had already mentioned this to them at one point but they never commented. I have ssl setup on a couple sub-domains that I didn't personally setup. They were automatically done somehow... at least I don't ever remember setting them up. I setup ssl with let's encrypt through my cpanel. Checking settings when I had done it is when I discovered I had certificates that were autossl and some that were not, the ones that I did with let's encrypt... different renewal dates. I don't know if or how that plays into anything.

I bring this up because I just checked to see and using IE, I can't get to the sub-domain page or the main one... that have two different issuers for the certificates... the main pages are all under the let's encrypt issuance and the sub-domain lists Cpanel.
So if there are two different ones and they both give the same result, it does make me think it's more server side... and at least worth asking my host about it.
Hopefully they don't shrug me off... and hopefully it doesn't become a "try this..." and then "try this..." but we'll see.
If anyone thinks of anything relevant let me know... otherwise, I'll post back if and when I get something sorted out.
oh, I was also thinking of joining the help discussion at let's encrypt and asking them. I have a feeling I'll get better and more specific info from them but, who knows.

Thanks burgertushie, according to the report from the test I ran, it's TLS 1.2 but, I did just submit a ticket to my host.

I almost forgot... while waiting on figuring this one out...
The mixed content on my board. Firefox didn't give me specifics... Just curious what's the easiest way to see what on the board is not "secure." I did find that the image linked to the http version of the board. Got that fixed. Was using "inspect element" to view a bit of that but that's not going to help me find everything I suspect... or at least it would be extremely time consuming. ha.

User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

Re: gluten free

Post by millipede » Wed Aug 22, 2018 7:49 pm

Update on ssl issue...

This was the response from my host...(nice and quick)
As it stands Internet Explorer 11 will work on Windows 10. IE11 on Windows 8.1, 8.0, 7, Vista, and XP are not supported because that browser combination does not support modern and secure SSL ciphers. FireFox, Chrome, and most other third party browsers will continue working on everything but XP as they support modern SSL Security.

IE11 on those operating systems were supported until a couple of months ago at which point the ciphers used by IE11 on those operating systems was found to be weak and easily broken.

Unfortunately if the operating system / browser does not support the secure ciphers it will not load. You can put your site behind CloudFlare and configure it on their end to support TLS 1.0 and 1.2.
So, it sounds like anyone using IE from windows 7 through 8.1, and maybe certain safari versions, just can't visit my site? So I'm out of luck unless I do what he said about cloudflare?

IF that's my only option... Is that safe and all? Like I said, I want to make sure that people can visit my site. Even though it's not really all that supported. there are TONS of people out there still using IE 11 with those windows versions.

Also... I can view this website just fine with my IE11... is this setup differently? Just trying to figure out if it is just as simple as, it's the browsers' fault...

User avatar
Lumpy Burgertushie
Registered User
Posts: 65185
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: gluten free

Post by Lumpy Burgertushie » Wed Aug 22, 2018 8:52 pm

looks like my post above is what the problem is. your host apparently has upgraded to the TLS1.3 before it is ready.
not sure what you can do other than what they suggest or change hosts.

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
david63
Jr. Extension Validator
Posts: 14900
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: gluten free

Post by david63 » Wed Aug 22, 2018 9:12 pm

millipede wrote:
Wed Aug 22, 2018 6:20 pm
lots of people in the world use all sorts of old browsers they shouldn't
That may be true but be aware that phpBB does not support many old browsers
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
AmigoJack
Registered User
Posts: 5350
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: gluten free

Post by AmigoJack » Thu Aug 23, 2018 7:09 am

millipede wrote:
Wed Aug 22, 2018 4:44 pm
I thought I'd check with IE to see if it listed anything and, it will not load my board.
The solution is easy: also serve HTTP, not just HTTPS - then your page will display fine. That's one of the major misunderstandings of the masses: they force everyone to go to HTTPS when not everybody is able to consume HTTPS. Your signature also links to HTTP, not HTTPS to begin with.
millipede wrote:
Wed Aug 22, 2018 1:17 am
mixed content
Which site are we talking about specifically? Neither your index (https://byfellowship.com/) nor your board index (https://byfellowship.com/forums/index.php) have any non-HTTPS content. I have disabled loading Google Analytics/Syndication, Oneall, Facebook, Twitter and Pinterest, tho, and because of all these trackers I'm not eager to visit any of your sites again.
The worst thing about censorship is ███████████

User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

Re: gluten free

Post by millipede » Thu Aug 23, 2018 3:07 pm

not sure what you can do other than what they suggest or change hosts.
any thoughts on the cloudflare option? I don't really even know what it is but it's in Cpanel so I can't imagine it's difficult...(ha)
The solution is easy: also serve HTTP, not just HTTPS
Always pros and cons and, decisions, and, ugh. HA. This has me wondering though... I switched to https because of all the news about it, many people wont create accounts on sites that don't seem secure to them. My mom works somewhere, not that she'd be looking at my site from there, where she actually can't even visit a site that doesn't use https...
Offering both seems tricky. Would be a lot of work to have all sorts of links to both options everywhere I go.
I setup the htaccess redirect so that it would just go to the https version. If I turn off the redirect, people would need to manually put in that S if they want it... which, I imagine, would be frustrating or confusing for some. How would I link to the board? The http version and then anyone that wants https has to put that in? or the https version and anyone that wants to use http has to figure that out on their own? Seems a challenge.
IS there a way in htaccess where I could make it so that if someone were using IE 11 or those versions of safari, they'd only be shown http no matter what? Otherwise, I can't think of a way that would be easy to manage to offer both...
Neither your index nor your board index have any non-HTTPS content.
Odd... when I'm on firefox it shows mixed content.
I have disabled loading Google Analytics/Syndication, Oneall, Facebook, Twitter and Pinterest, tho
Could the mixed content be coming from one of them? I'd think all of those would be using https. Perhaps I'll start by looking at the images used by the oneall and the shareon extensions.
and because of all these trackers I'm not eager to visit any of your sites again.
well now that gives me more thoughts that I'm not sure about. :(
First I'd like to tease you and say that if you have them disabled, why worry? :p
But... hmmm... I don't want to chase people away by using those things... in fact, it's the opposite intention. Google analytics are by no means essential to my site... it seemed something that site owners do to gauge the traffic to their sites. LOTS of sites use it. In fact, I seem to have google analytics blocked at THIS (phpbb)site we're on now. I'm sure you don't really avoid EVERY site that has trackers on it.
facebook, twitter, and pinterest are likely all part of oneall... unless they're just from the share extension. And oneall is just an extension for people to be able to login to my board using their accounts from other sites.
I added that hoping it would encourage people to join and participate. If I post a link on facebook to something on my board, they go look, see they can just login using FB, they might be more willing to rather than creating another username and password to remember.
My one most active member saw that and linked their FB account right away for the ease of it.

EDIT:
Your signature also links to HTTP
So leaving out http or https directs to http?
Never mind that..., I think... hovering over it, it was just byfellowship without anything before it. But I went to edit it and, I did have http in there.

User avatar
AmigoJack
Registered User
Posts: 5350
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: gluten free

Post by AmigoJack » Fri Aug 24, 2018 8:26 am

millipede wrote:
Thu Aug 23, 2018 3:07 pm
IS there a way in htaccess where I could make it so that if someone were using IE 11 or those versions of safari, they'd only be shown http no matter what?
Yes, you can define rewrite rules based on the useragent (speak: internet browser being used), see https://stackoverflow.com/questions/300 ... -is-disabl, https://serverfault.com/questions/38980 ... pports-sni, https://stackoverflow.com/questions/117 ... javascript or in general https://www.google.fi/search?q=.htacces ... e&tbs=li:1
millipede wrote:
Thu Aug 23, 2018 3:07 pm
First I'd like to tease you and say that if you have them disabled, why worry? :p
You chose to include third party resources (with questionable reasons: why using the Google tracker when it's not essential?), I choose to not take websites serious which can't break it down to serve resources themselves. Every time a user requests your website it will also request those resources, with a referer to your website, hence being tracked. Apart from cookies and JS.
millipede wrote:
Thu Aug 23, 2018 3:07 pm
LOTS of sites use it. [...] I'm sure you don't really avoid EVERY site that has trackers on it.
LOTS are wrong and act inconsistent. Yes, I don't avoid every website with trackers, but my respect to each such website goes down. phpbb.com as well as every phpBB installation since 3.2 also uses third party resources, and I don't like it at all.
millipede wrote:
Thu Aug 23, 2018 3:07 pm
Your signature also links to HTTP
I went to edit it and, I did have http in there.
My whole point is: you're inconsistent. The website in your profile still uses HTTP, your signature now uses HTTPS... I think you're one of many who just use something without having understood it throughly, thus not doing it at 100%. Redirecting every HTTP request to HTTPS is not the best practice, as you now learnt. People not being able to type in a website address themselves, thus trying both HTTP and HTTPS, are just people I would not care about - if they want to treat the internet like a TV then I won't be able to change them anyway. That's also the reason why I serve both: HTTP and HTTPS, because everybody should be able to choose for himself, instead of being forced. Because nobody should be penalized for actually knowing what he's doing.

As of being consistent: can you please change the subject in your first post to a more fitting one? This topic is by far not about that subject anymore.
The worst thing about censorship is ███████████

User avatar
millipede
Registered User
Posts: 136
Joined: Mon Feb 25, 2008 5:13 am
Contact:

Re: gluten free

Post by millipede » Fri Aug 24, 2018 2:29 pm

I sense a lot of frustration in your reply. Some lack of respect or patience, I'm not sure. But if you're bothered by this topic, you don't need to reply anymore. I appreciate all the advice you've offered so far, honestly.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: KYPREO and 31 guests

cron