Moving site over to https ... advice?

davethecat · Post by **davethecat** » Tue Dec 20, 2016 5:13 pm

Hello,

We're looking at making all of our site https for the first time. I'm hoping for advice about the best order to do things in, particularly with regard to our forum. We have our SSL certificate in place, and can access the forum fine via https. So far we haven't started to 'force' any pages to be https, but we will want to, so...

As far as I understand it, if we want to make the board only accessible via https, I will need to update any links on our site which go to the forum to be https, also put a 301 redirect in place to account for any http links from outside the site to go to https, and to Set Cookie Secure to “Enabled" in the ACP.

Is that all I need to do? And in which order should I carry out these steps?

Any advice appreciated!

MichaelC · Post by **MichaelC** » Wed Dec 21, 2016 4:21 am

The most important things are updating the 'cookie secure' setting under cookie settings and also checking under 'Server Settings' that if you have force server url enabled make sure you have the protocol set to https. If you miss updating any links internally it's not the end of the world, the redirect will just handle that for you.

We at phpbb.com now handle our https redirect in varnish (our gateway cache) but you can see how we used to do it in our .htaccess when we handled the 301 redirect in Apache here if that's useful to you at all.

nimd4 · Post by **nimd4** » Sat Dec 24, 2016 1:16 am

Just btw., if the SSL layer is getting added due to possible, future, purchases or something... It might not be a bad idea to hire a 3rd-party to handle everything (attacks and all), such as:

Code: Select all

https://www.cloudflare.com/

^^ Mind you, I have NO idea which of the top-ten, twenty, gateways are best to use.

Edit:

Code: Select all

https://www.business.att.com/enterprise/Family/cybersecurity/secure-network-gateway/

++

davethecat · Post by **davethecat** » Thu Jan 19, 2017 4:16 pm

Thanks for the advice - all noted!

Our site does already use CloudFlare, so we will be using that to force https across the entire site.

So.... when we do that, am I right in thinking that all I will need to do is update the 'cookie secure' setting, and that we won't then need a separate 301 redirect...? (we don't have force server url enabled)

so the CloudFlare setting forcing http to https will take the place of all/any 301 redirects...?

(sorry if that's a no brainer, SSL is new to us!)

Post by **Mick** » Thu Jan 19, 2017 6:31 pm

davethecat wrote: ↑Thu Jan 19, 2017 4:16 pmso the CloudFlare setting forcing http to https will take the place of all/any 301 redirects...?

The best people to ask would be CloudFlare support.

davethecat · Post by **davethecat** » Wed Jan 25, 2017 6:50 pm

Hello again,

I have been talking to CloudFlare support, and it seems that the best option for us is not to use their automatic https rewrite function site-wide after all, (due to possible conflict with some of our other applications "force SSL" functions, causing 'infinite redirect loop'). So instead the current plan is to ensure there is no mixed content across the site, and then to implement SSL on each individual application.

Other applications we run all have a "Force SSL" function in the programme. But as phpBB doesn't have that, I'm back now to needing to find out how best to do the redirect to force SSL across our phpBB forum, (given that I don't want to put in a blanket 'server-wide' redirect rule for all our site applications).

We've not done this before, and I'm not exactly clear now how to do the redirect... (I've only ever set up 301's for individual site pages which have moved), so would really appreciate further advice.

Michaelc: you gave a link for a "301 redirect in Apache" - but is that a server-wide redirect? I'd like to find a way to redirect just the phpBB forum to 'https' if that's possible? Or do I have to re-visit the idea of a server-wide rule?

Thanks for any further advice!

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Wed Jan 25, 2017 7:49 pm

google for htaccess redirects for ssl. then add the required code to the htaccess file in your board's root.

robert

noth · Post by **noth** » Wed Jan 25, 2017 8:29 pm

what is the advantage to doing all this?

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Wed Jan 25, 2017 8:37 pm

noth wrote: ↑Wed Jan 25, 2017 8:29 pm what is the advantage to doing all this?

that is always my question. the only thing ssl does is protect data during transfer. this is good for things like order forms when you input personal data.

it can also be good for the login form as well. however, in order for someone to be able to get your info when you click the submit button they have to be watching your board at the exact instant that the button is pressed.

the chances of that happening to anyone's bulletin board are so small as to be insignificant at best.

If you are running a store or for whatever reason are collecting personal/financial type info then yes, ssl is a must.
however, keep in mind that ssl does not protect anything other than the info posted in a form at the time it is being transmitted, not after when it is sitting there on the server and in a post etc.

robert

davethecat · Post by **davethecat** » Thu Jan 26, 2017 1:13 pm

Thank you!!

That's great we can code it into the htaccess file in your board's root if needed, (I did wonder that after I posted, but wasn't sure, so thanks!!)

Well the reason for thinking about doing this, is firstly because the rest of our site will be going to "https" so I really just figured that the forum would/should too. Google are slightly favouring https sites for ranking purposes, plus of course getting the green padlock on all our site pages for visitor's reassurance. As we recently got a full SSL certificate rather than self-signed, we figured we should use it (but now I'm thinking maybe forcing https on the whole forum is maybe not necessary). There is nothing out of the ordinary on our forum that necessarily needs securing.

But won't we need a redirect for google's purposes? Because the rest of the site will be going to https, we'll be adding the "https" version of the site in our google webmaster properties - so... won't google need us to have a "redirect" in place pointing to the https version of the forum..? (sorry if I'm sounding really dim here, but everywhere I've read about moving a site from http to https says about putting 301 redirects in).

So, I know we will need to enable the 'cookie secure' setting, update any hard-coded links to the forum to be https, so I think my only question now is whether we need the redirect for google search purposes, as above.

Thank you all for your patience!!!!

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Thu Jan 26, 2017 3:08 pm

better to ask google directly what they prefer. the last I heard they were still just "thinking" about using https as a part of their process.

robert

davethecat · Post by **davethecat** » Thu Jan 26, 2017 4:07 pm

Hi Robert,

Over the last few weeks I've done a lot of reading and research, and there are many pages confirming google already give a small amount of extra ranking to https sites - not much - but likely to increase - here are two of Google's own pages:

First from 2014 that first mention that:
https://webmasters.googleblog.com/2014/ ... ignal.html
More recently this page confirms the "slight boost" to https sites:
https://webmasters.googleblog.com/2015/ ... fault.html

So from all I've read google are pushing the web slowly but surely to https!

davethecat · Post by **davethecat** » Thu Jan 26, 2017 4:25 pm

Yikes - a discovery!

I have just done a bit of Googling and found that Google are already indexing our pages as "https" even though we haven't made any physical 'switch' yet to force it to SSL! So, what they say in the page that I linked to in my previous post is already happening (below) and we didn't realise - this bit:

"Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page. When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL"

So, they are clearly preferring https pages, to the point of serving their results over them, even before we have changed our links!!!

northernchimp · Post by **northernchimp** » Fri Jan 27, 2017 10:11 am

As I've posted in my own topic on this, Ars Technica have reported, and I can confirm. Google Chrome version 56.* now marks all pages with password/login fields as 'NOT SECURE' if they are served via http.

https://arstechnica.co.uk/information-t ... -insecure/

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Fri Jan 27, 2017 1:49 pm

well, that would be true. if they are not served via https then they are not secure. that has always been true.

the point is, however, that the only pages that need to be secure are forms that collect personal information.

like financial info or even just the login form here that has the username password. other than that, there is no reason for any other web page that is viewable by the public to be secured, not images , etc. SSL does not protect you from an image that may contain a virus etc. it only protects data during transfer from your computer to the web server and back when you click on a submit button.

robert