This guide will help you to complete some extra steps, when switching a regular domain, which starts from 'http://', to a secure domain, which starts with 'https://' – this all actually means you have to purchase and install an SSL certificate, which could be of various security level and therefore price. Usually it all could be done with your hosting provider's powers; but you could also to install it on your own.
Introducing SSL on your domain, you should be aware of the following:
while a regular domain would load in any outdated browser, a secured domain with the modern certificate will not. Truly old browsers, and their will owners be unable to read your website. Installing SSL, you would actually cut-off bits of insecure traffic.
After SSL is installed and 'https' is on, keep the regular version of your domain alive and pointing to the same website. In the guide below, I'll describe how to set up a proper redirection from 'http' to 'https', but you could also run both versions, despite it's not about SEO.
This guide also supposes you already have miniBB program installed and running.
1. VERIFY YOUR SSLInitially, before we go to anything else, after installing an SSL certificate test your updated domain using some online tool, which would validate its security leaks; I've used
Why No Padlock:
For more detailed results, try the
SSL labs test tool.
Your domain should pass all tests and you should have all green ticks in test results like shown above. If some
red issue comes up, follow its description, usually it gives everything to search over, and fix it.
If one of the verification sections says
"You currently have TLSv1 enabled", and that's why the domain's not fully verified (like it was in my case), then you should disable TLSv1 in your web server configuration. For Apache on Ubuntu, edit
/etc/apache2/mods-enabled/ssl.conf and there update the 'SSLProtocol' value with the following:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Next, we proceed to miniBB software requiring some extra actions, if you run it on a secured domain.
2. SET UP A PROPER REDIRECTIONLook in
setup_options.php, and at first, checkt the
$main_url setting – URL to your forums should start with 'https://'.
In the same file, you could set up a forced redirection to 'https' if a regular domain has been entered. I know there are a lot of solution for Apache's .htaccess, but most of them I've tried either did not work, either were not compatible with my Apache configuration. Also, if you are on a server other than Apache, the PHP-code solution would work best.
So, for setting up such a redirection, at first, at the very top of
setup_options.php, right after the starting
<?php tag, add the following code (it determines, if we are on a secured domain or not):
/* Forcing HTTPS redirection – initial step */
if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) {
$add_s='s';
}
else $add_s='';
/* --Forcing HTTPS redirection – initial step */
And closely to the bottom of
setup_options.php, before the closing
?>, add the redirection code itself:
/* Forcing SSL redirection */
if($add_s==''){
if(isset($_SERVER['SERVER_PROTOCOL']) and ($_SERVER['SERVER_PROTOCOL']=='HTTP/1.0' or $_SERVER['SERVER_PROTOCOL']=='HTTP/1.1') ) $proto=$_SERVER['SERVER_PROTOCOL']; else $proto='HTTP/1.1';
if(!isset($rheader)) $rheader='Location:';
$link = 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header($proto.' 301 Moved Permanently');
header("{$rheader}{$link}");
exit;
}
/* --Forcing SSL redirection */
This code takes some duplicates from
index.php, but that's the only detail of it. It works here on miniBB forums for nearly about 4 months by now, from the date when
miniBB switched to https.
3. UPDATE DATABASEThe next step is not necessary for new forums started from scratch; however if you run an existing forum over 'http' and now switched to 'https', it is.
Enter your database tool, phpMyAdmin or anything else from where you could execute SQL commands.
With the command below
(substitute your own table name and a domain!), you'll just make obvious that some records in your forum database contain older regular URL:
select count(*) from minibbtable_posts where post_text like '%http://www.minibb.com%';
If result shows 0 records, you probably have to do nothing else from below, supposing you have no references to your URL in forum posts.
Otherwise, executing the commands below you'll update your older domain to a new one (substitute your own table name and a domain!) – this will also replace regular URLs of <IMG> tags:
update minibbtable_posts set post_text=replace(post_text, 'http://www.minibb.com', 'https://www.minibb.com') where post_text like '%http://www.minibb.com%';
Note that the command above searches for, and replaces a strictly lowercase string. You must check for different letter case variations to replace everything (for example, here on miniBB forums I've also replaced the string like 'http://www.mini
BB.com').
4. TAKE CARE OF EMBEDDED CONTENTA big headache about SSL-based domain for a miniBB forum is that by default there's allowed to embed 3rd party contents from external websites, as pictures. In a post, they could be referenced by an [img] or [/imgs] BB code. If such pictures are referenced to a regular non-secured domain, a topic when they appear would contain so called 'mixed' content, and the browser would display an exclamation sign indicating you are loading up insecured contents on a secured domain, like this:
Or – there could be no exclamation sign at all, and the browser will load such a "mixed content" page in the insecured mode, ignoring SSL.
There's a work-around for eliminating this issue –
disable embedding 3rd party images from insecured domains. For this, modify
bb_codes.php, look up for [imgs] or [img] tag codes. In these codes, replace
http[s]* to just
https – it will force external images being embedded from secured URLs only.
I have coded a little script, it shows all posts containing embedded images, which refer to insecured http-URLs. You could easily navigate to such messages and manually edit them, updating the tags with secure links.
Download it from here.
Copy
msg.php from the
Advanced Anchors add-on to your forum, if you didn't it before. The add-on is tied up with this script.
All options are located inside of this script, and you should probably skip modifying them, as defaults work for most configurations. Pay attention: the script could skip checking messages in closed forums, which are hidden from public. For this, set up the following:
$checkClosedForums=TRUE;
My personal recommendation is to keep all external images either referenced to 'https', either stored locally (preferred). Storing on a local server means you never lose an important content (but you already know that nothing lives forever in internet), and it's always compatible with your current security mode. If a referenced picture is closely tied up with the content, always avoid keeping it on a 3rd party server – move to your local storage. We use
File Bank add-on for this purpose.
5. GIVE YOUR COMMENTS OR QUESTIONSThis thread is opened for everyone, including guests, giving questions or comments on this subject. Correct me if I'm wrong, or give a candy below. Thanks for attention :)
