SSL : yes or not



  • I do agree that SSL is a great idea and a security best practice. However, unless the information on the forum is sensitive (personally identifying info, PANs, or anything you don't want getting out in the public) using SSL might be overkill. Enabling SSL is free, this is correct. But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired. The odds of a MiTM (man in the middle) capturing your traffic in transit off any of the routers at the ISP level is extremely low. Usually a MiTM is on one end or the other of the connection (on the servers network or the users). So again this lowers the risk of not using SSL. So basically unless the user is on a public WiFi or some one has hacked their network, the chances of the traffic being recorded is very low. And again, unless there is sensitive information, if someone were to get it they'd likely delete it. Plus unless your going to disable sslv2 sslv3 and tlsv1.0 as well there is no reason to use SSL.

    I hope this info was helpful.

    Cheers,
    M@V


  • Community Rep

    I'm firmly on the 'not' side.

    Most forums I visit don't have it, and I see no reason for them to have it.

    I'm highly skeptical of any security benefit it provides. And it introduces a third-party to your security strategy, guaranteeing additional security risks.


  • Translator

    @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc).

    Strongly disagree, Cloudflare and Let's Encrypt both offer valid SSL certificates that will not trigger a warning since these are trusted certificates, and both of those options are free. The field of HTTPS and SSL got so much better over the past that there are good alternatives that are trusted.


  • Admin

    At present, Let's Encrypt requires that the python dependency be installed, which is a blocker to integration into NodeBB.

    If there were a way to do so via node then we'd adopt it immediately. The only one I did find was a debug version that hadn't been updated in quite some time.

    Theoretically, we could run code to execute the python lib. I will look into it.

    Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx... so I'd be bundling it with NodeBB and then if they wanted to use it with nginx, they'd need to disable the SSL termination via NodeBB and then set it up with nginx anyway, since that's not handled automatically by even the python lib yet.

    Either way, really looking forward to it, but not quite there for us yet 🙂



  • @julian said:

    Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx...

    This is how I see it. Most people should be running it behind a proxy of some kind.


  • GNU/Linux

    Ok , thanks to all .
    I user nginx , ubuntu 14.04 LTS and Nginx , so is there any guide to install it ?



  • @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.

    Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.


  • GNU/Linux

    @a_5mith said:

    @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.

    Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.

    Can you help me to install it ? or explain me , thanks 🙂
    I have read this : https://letsencrypt.org/howitworks/ but im usimg nginx and ubuntu 14.04



  • More or less this guide: http://huytd.github.io/2015/12/16/setup-free-ssl-with-lets-encrypt/index.html

    Few notes:
    I had to stop Nginx or it errors out with already in use and won't create the live folder.
    You might get permission denied errors when trying to navigate to the live folder. Just run as root.
    Then search this forum for the SSL code and replace as needed. Can send mind if needed. Then just make sure everything you link to uses https://


  • GNU/Linux

    @a_5mith said:

    @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.

    Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.

    Its free for live or for 90 days? thanks



  • @djcyry Life


  • GNU/Linux

    @a_5mith said:

    @djcyry Life

    Can you please show me your code?
    I have install it but :

    http://www.hercio.net/ - works ok .
    https://www.hercio.net/ - default nginx page .




  • GNU/Linux

    @a_5mith said:

    Use https://community.nodebb.org/topic/7183/which-file-to-edit-when-getting-rid-of-the-4567-port-number/5

    Just replace all references of that URL and IP with yours.

    No results..



  • @djcyry did you restart nginx?


  • GNU/Linux

    @a_5mith said:

    @djcyry did you restart nginx?

    Sure .
    I have installed the ssl , everything ok .
    But is not redirected , and if is do , is redirectiing to nginx default page . (with https)



  • What's your. Nginx? Port 80 should redirect. 443 should load your site.

    What's the content of your site in sites-available?


  • GNU/Linux

    @a_5mith said:

    What's your. Nginx? Port 80 should redirect. 443 should load your site.

    What's the content of your site in sites-available?

    Without ssl , this :

    server {
    listen 80;
    server_name www.hercio.net;

    #charset koi8-r;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_pass http://62.75.159.105:4567;
        proxy_redirect off;
    
        # Socket.IO Support
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
    

    }
    }

    server {
    listen 80;
    server_name www.nodebb.es;

    #charset koi8-r;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_pass http://62.75.159.105:4568;
        proxy_redirect off;
    
        # Socket.IO Support
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
    

    }
    }

    server {
    listen 80;
    server_name hercio.net;

    return 301 http://www.hercio.net$request_uri;
    

    }

    server {
    listen 80;
    server_name www.hercio.net;

    return 301 http://www.hercio.net$request_uri;
    

    }

    server {
    listen 80;
    server_name nodebb.es;

    return 301 http://www.nodebb.es$request_uri;
    

    }

    server {
    listen 80;
    server_name www.nodebb.es;

    return 301 http://www.nodebb.es$request_uri;
    

    }



  • Here's mine. Compare:

    
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name 35hz.co.uk;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/35hz.co.uk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/35hz.co.uk/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://188.226.239.27:4567;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name 35hz.co.uk;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    
    

  • GNU/Linux

    @a_5mith said:

    Here's mine. Compare:

    
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name 35hz.co.uk;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/35hz.co.uk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/35hz.co.uk/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://188.226.239.27:4567;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name 35hz.co.uk;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    
    

    Thanks @a_5mith .
    Look at this :

    https://hercio.net/ - ssl works without www.
    https://www.hercio.net/ - ssl works with www

    https://nodebb.es/ - ssl works without www.
    https://www.nodebb.es/ - ssl not works with www

    Both forums are hosted on same server, same configuration , etc ...any idea?


 

| |