@julian pfff vestacp support is soooo bad.. instead i will create a snapshot of my droplet and then try to install the wstunnel module, if anything breaks i can revert back 🙂
i will message back if it works or not
I see that this forum's login page is using http, so passwords are going over the wire plain text....
Can you host this on https (and use a security cert) and do 301 redirects for http so passwords are transmitted in a secure fashion?
I'd hazard to guess that more than a few people who use this forum re-use passwords......
Don't forget to enable HTTP Strict Transport Security (HSTS) if SSL is enabled for this site!
Personally, I used SSO with Twitter to avoid sending my password in clear-text. Might be a good way to avoid sending passwords over the Internet in general.
I dont disagree..I use SSO as well, but not everyone does....
Sure -- we'll get around to implementing HTTPs at some point. It's already compatible (especially since you don't have to actually do anything if nginx handles the SSL handshaking/negotiation)
Just need to buy the certificate, really
Haha @julian promises not to eat lunch until wednesday, and we'll get that cert.
@psychobunny Cant you just self sign one until you can buy one?
Bad idea. Users will just be getting security warning about an untrusted or invalid site certificate that will scare them away.
Comodo has a free, 90-day trial of their SSL cert. See promo here.
Ah, I may as well just buy one. Honestly there's no excuse anymore, SSLs.com has 'em for $5...
So you just have to pass a spoon of caviar next lunch
Or you could use StartSSL only for community.nodebb.org, but not sure if that would fall under their "no-commercial" policy.