SSL support
tobyzerner opened this issue · 13 comments
_4 Upvotes_ There needs to be a setting to enable it always, or only on authenticated requests + the login/register routes.
Related to #145.
I would rather see only on authenticated login requests and its login/register pages.
On Jul 7, 2015, at 5:16 AM, "Toby Zerner" notifications@github.com wrote:
There needs to be a setting to enable it always, or only on authenticated requests + the login/register routes.
Related to #145.
—
Reply to this email directly or view it on GitHub.
Two options on settings: Enable it always and Enable only on authenticated requests + the login/register
Only: turn everywhere
Personally, I would only use it for authentication purposes, but it really depends on who wants to use the software. I'm sure a number of people would like all data to be encrypted depending on their usage.
+1 for an use always option. Google does not like non SSL anymore ;)
I am also voting for SSL support. Have a setting to enable it always, or not at all, would be the simpler approach, I think.
While I don't see why SSL support wouldn't be possible currently by enabling it on your server, and then changing the base_url and api_url config values to have the https protocol, we should make this easier in the form of a UI in the admin CP.
What needs to be done:
- Add a setting to the Basics page, in the form of a Switch component. To keep things simple, I do not think we need to offer the option to enable SSL only for authentication pages at this stage. Just a simple global on/off.
- Flarum should check the config option somewhere (in flarum/core or in flarum/flarum? we need to work this out) and redirect non-https requests to https if it's switched on.
Works out of the box for me.
- Setup the site to use SSL / SPDY with Nginx using the following config.
server {
listen 80;
server_name sitename.com *.sitename.com;
rewrite ^/(.*)$ https://sitename.com/$1 permanent;
}
server {
listen 443 ssl spdy;
server_name sitename.com *.sitename.com;
root /site/sitename/www;
index index.php index.html;
if ($host != 'sitename.com' ) {
rewrite ^/(.*)$ https://sitename.com/$1 permanent;
}
error_log /site/log/nginx/sitename.err debug;
ssl on;
ssl_certificate /site/config/nginx/ssl/generic.crt;
ssl_certificate_key /site/config/nginx/ssl/generic.key;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /api {
try_files $uri $uri/ /api.php?$query_string;
}
location /admin {
try_files $uri $uri/ /admin.php?$query_string;
}
location /flarum {
deny all;
return 404;
}
location ~ \.php$ {
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
And install... the config.php file seems to pick up the default https site.
Would not recommend SSL for some pages. SPDY support makes it worthwhile to have it the whole site.
I've used a generic self signed cert in this example as the sites are frontended by Cloudflare.
I hope when developing this you have an image proxy system in mind (as common end users have the habit of hot linking non ssl photos).
+1 @Code-Name-Debian
Hmm I guess we don't really need to do anything here... Just change http -> https in config.php and configure the webserver to redirect. Not Flarum's responsibility.
Image proxy system can probably be a third-party extension.