New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL support #167

Closed
tobscure opened this Issue Jul 7, 2015 · 13 comments

Comments

Projects
None yet
10 participants
@tobscure
Member

tobscure commented Jul 7, 2015

_4 Upvotes_ There needs to be a setting to enable it always, or only on authenticated requests + the login/register routes.

Related to #145.

@rodrigoargumedo

This comment has been minimized.

Show comment
Hide comment
@rodrigoargumedo

rodrigoargumedo Jul 10, 2015

Contributor

I would rather see only on authenticated login requests and its login/register pages.

On Jul 7, 2015, at 5:16 AM, "Toby Zerner" notifications@github.com wrote:

There needs to be a setting to enable it always, or only on authenticated requests + the login/register routes.

Related to #145.


Reply to this email directly or view it on GitHub.

Contributor

rodrigoargumedo commented Jul 10, 2015

I would rather see only on authenticated login requests and its login/register pages.

On Jul 7, 2015, at 5:16 AM, "Toby Zerner" notifications@github.com wrote:

There needs to be a setting to enable it always, or only on authenticated requests + the login/register routes.

Related to #145.


Reply to this email directly or view it on GitHub.

@woenel

This comment has been minimized.

Show comment
Hide comment
@woenel

woenel Jul 10, 2015

Two options on settings: Enable it always and Enable only on authenticated requests + the login/register

woenel commented Jul 10, 2015

Two options on settings: Enable it always and Enable only on authenticated requests + the login/register

@poush

This comment has been minimized.

Show comment
Hide comment
@poush

poush Jul 15, 2015

Contributor

+1 on @woenel

Contributor

poush commented Jul 15, 2015

+1 on @woenel

@detis

This comment has been minimized.

Show comment
Hide comment
@detis

detis Jul 15, 2015

Only: turn everywhere

detis commented Jul 15, 2015

Only: turn everywhere

@jberlyn

This comment has been minimized.

Show comment
Hide comment
@jberlyn

jberlyn Jul 16, 2015

Personally, I would only use it for authentication purposes, but it really depends on who wants to use the software. I'm sure a number of people would like all data to be encrypted depending on their usage.

jberlyn commented Jul 16, 2015

Personally, I would only use it for authentication purposes, but it really depends on who wants to use the software. I'm sure a number of people would like all data to be encrypted depending on their usage.

@solhuebner

This comment has been minimized.

Show comment
Hide comment
@solhuebner

solhuebner Jul 16, 2015

+1 for an use always option. Google does not like non SSL anymore ;)

solhuebner commented Jul 16, 2015

+1 for an use always option. Google does not like non SSL anymore ;)

@Allineer

This comment has been minimized.

Show comment
Hide comment
@Allineer

Allineer Jul 16, 2015

Contributor

+1 to @detis

Contributor

Allineer commented Jul 16, 2015

+1 to @detis

@Fastidious

This comment has been minimized.

Show comment
Hide comment
@Fastidious

Fastidious Aug 8, 2015

I am also voting for SSL support. Have a setting to enable it always, or not at all, would be the simpler approach, I think.

Fastidious commented Aug 8, 2015

I am also voting for SSL support. Have a setting to enable it always, or not at all, would be the simpler approach, I think.

@tobscure

This comment has been minimized.

Show comment
Hide comment
@tobscure

tobscure Aug 27, 2015

Member

While I don't see why SSL support wouldn't be possible currently by enabling it on your server, and then changing the base_url and api_url config values to have the https protocol, we should make this easier in the form of a UI in the admin CP.

What needs to be done:

  • Add a setting to the Basics page, in the form of a Switch component. To keep things simple, I do not think we need to offer the option to enable SSL only for authentication pages at this stage. Just a simple global on/off.
  • Flarum should check the config option somewhere (in flarum/core or in flarum/flarum? we need to work this out) and redirect non-https requests to https if it's switched on.
Member

tobscure commented Aug 27, 2015

While I don't see why SSL support wouldn't be possible currently by enabling it on your server, and then changing the base_url and api_url config values to have the https protocol, we should make this easier in the form of a UI in the admin CP.

What needs to be done:

  • Add a setting to the Basics page, in the form of a Switch component. To keep things simple, I do not think we need to offer the option to enable SSL only for authentication pages at this stage. Just a simple global on/off.
  • Flarum should check the config option somewhere (in flarum/core or in flarum/flarum? we need to work this out) and redirect non-https requests to https if it's switched on.
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 28, 2015

Works out of the box for me.

  1. Setup the site to use SSL / SPDY with Nginx using the following config.

server {
  listen 80;
  server_name  sitename.com *.sitename.com;

  rewrite ^/(.*)$ https://sitename.com/$1 permanent;

}

server {

    listen  443 ssl spdy;
    server_name sitename.com *.sitename.com;

    root    /site/sitename/www;
                index index.php index.html;

    if ($host != 'sitename.com' ) {
                rewrite ^/(.*)$ https://sitename.com/$1 permanent;
        }

    error_log       /site/log/nginx/sitename.err debug;

    ssl on;
    ssl_certificate /site/config/nginx/ssl/generic.crt;
    ssl_certificate_key /site/config/nginx/ssl/generic.key;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /api {
        try_files $uri $uri/ /api.php?$query_string;
    }

    location /admin {
        try_files $uri $uri/ /admin.php?$query_string;
    }

    location /flarum {
        deny all;
        return 404;
    }

    location ~ \.php$ {
        fastcgi_pass    phpfpm;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
}

And install... the config.php file seems to pick up the default https site.

Would not recommend SSL for some pages. SPDY support makes it worthwhile to have it the whole site.

I've used a generic self signed cert in this example as the sites are frontended by Cloudflare.

ghost commented Aug 28, 2015

Works out of the box for me.

  1. Setup the site to use SSL / SPDY with Nginx using the following config.

server {
  listen 80;
  server_name  sitename.com *.sitename.com;

  rewrite ^/(.*)$ https://sitename.com/$1 permanent;

}

server {

    listen  443 ssl spdy;
    server_name sitename.com *.sitename.com;

    root    /site/sitename/www;
                index index.php index.html;

    if ($host != 'sitename.com' ) {
                rewrite ^/(.*)$ https://sitename.com/$1 permanent;
        }

    error_log       /site/log/nginx/sitename.err debug;

    ssl on;
    ssl_certificate /site/config/nginx/ssl/generic.crt;
    ssl_certificate_key /site/config/nginx/ssl/generic.key;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /api {
        try_files $uri $uri/ /api.php?$query_string;
    }

    location /admin {
        try_files $uri $uri/ /admin.php?$query_string;
    }

    location /flarum {
        deny all;
        return 404;
    }

    location ~ \.php$ {
        fastcgi_pass    phpfpm;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
}

And install... the config.php file seems to pick up the default https site.

Would not recommend SSL for some pages. SPDY support makes it worthwhile to have it the whole site.

I've used a generic self signed cert in this example as the sites are frontended by Cloudflare.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 3, 2015

I hope when developing this you have an image proxy system in mind (as common end users have the habit of hot linking non ssl photos).

ghost commented Sep 3, 2015

I hope when developing this you have an image proxy system in mind (as common end users have the habit of hot linking non ssl photos).

@woenel

This comment has been minimized.

Show comment
Hide comment
@woenel

woenel Sep 3, 2015

+1 @Code-Name-Debian

woenel commented Sep 3, 2015

+1 @Code-Name-Debian

@justjavac justjavac referenced this issue Sep 7, 2015

Open

Flarum v0.1.0 开发路线图 #3

18 of 53 tasks complete
@tobscure

This comment has been minimized.

Show comment
Hide comment
@tobscure

tobscure Mar 11, 2016

Member

Hmm I guess we don't really need to do anything here... Just change http -> https in config.php and configure the webserver to redirect. Not Flarum's responsibility.

Image proxy system can probably be a third-party extension.

Member

tobscure commented Mar 11, 2016

Hmm I guess we don't really need to do anything here... Just change http -> https in config.php and configure the webserver to redirect. Not Flarum's responsibility.

Image proxy system can probably be a third-party extension.

@tobscure tobscure closed this Mar 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment