Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2015-09-09 22:29:14

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

http vs. https

Was just looking at this FAQ for releases 4.0.5:1

Why do all my links point to “https” instead of “http” with IIS?

Answer:

It’s a bug in the auto-detection of whether SSL is used on the connection or not. You can however override the auto-detection code by always forcing the type of protocol (dssl or not) that you prefer. This is done by adding the following line to config.php:

define(‘PROTOCOL’, ‘http://’);

Similarly if you wanted to force textpattern to generate ssl-urls, you could replace http with https in the above line.

What got my attention was the last part, about generating “ssl-urls” by doing this:

define('PROTOCOL', 'https://');

The “https” thing has been on my mind a while now because there seems to be a mass move that direction by the web in general.

So my naive question is, does doing that little line addition in config.php really provide valid “https” protocols, or is that just a superficial fake/lie?

1 I’m not linking to the FAQ, because FAQs are being audited and redirected (i.e., FAQ dismantling).

Offline

#2 2015-09-09 23:02:39

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,448
Website GitHub

Re: http vs. https

Destry wrote #294587:

does doing that little line addition in config.php really provide valid “https” protocols, or is that just a superficial fake/lie?

It does indeed, but does it site wide and affects the cacheability of resources. And of course, it’s down to you to obtain valid certificates.

Some people would like more fine-grained control over that, but I don’t exactly know how to go about it for the best so it’s still on the to-do list (Edit: ahem, hopefully someone else’s list!)

Last edited by Bloke (2015-09-09 23:04:05)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#3 2015-09-09 23:53:22

GugUser
Member
From: Quito (Ecuador)
Registered: 2007-12-16
Posts: 1,473

Re: http vs. https

Although it is a little outside of the theme, here an additional observation: In the visitor logs the referrers with https are listed falsely as http://https://www.google.ch/ and are clickable, but the page can not be found, logically.

Last edited by GugUser (2015-09-09 23:54:35)

Offline

#4 2015-09-09 23:59:07

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http vs. https

Bloke wrote #294589:

it’s down to you to obtain valid certificates.

I’m still a bit clueless about what’s required and what isn’t, but does this offer anything useful with regard to certificates?

Lets Encrypt

Offline

#5 2015-09-10 05:51:18

jstubbs
Member
From: Hong Kong
Registered: 2004-12-13
Posts: 2,395
Website

Re: http vs. https

Hi Destry, the Let’s Encrypt service looks interesting but not yet open I think? For now, if you want an SSL certificate you’ll need to either get one from your registrar (some, like Gandi offer a free 1 year SSL certificate) or buy one.

Then, you need to install the certificate. How that’s done depends on your web server. I use WebFaction and they need to install the certificate for you, but its pretty quick and painless.

Offline

#6 2015-09-10 05:54:33

jstubbs
Member
From: Hong Kong
Registered: 2004-12-13
Posts: 2,395
Website

Re: http vs. https

Bloke wrote #294589:

It does indeed, but does it site wide and affects the cacheability of resources. And of course, it’s down to you to obtain valid certificates.

Some people would like more fine-grained control over that, but I don’t exactly know how to go about it for the best so it’s still on the to-do list (Edit: ahem, hopefully someone else’s list!)

Before I thought that having granular control was a good thing – for example a shop site might have a secured page but other parts of the site were non-secure. But now, I think secure for the entire site is a good thing and the direction that the web is heading in.

Offline

#7 2015-09-10 07:42:48

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: http vs. https

StartSSL offers free certificates.

Offline

#8 2015-09-10 08:51:45

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http vs. https

jstubbs wrote #294615:

Hi Destry, the Let’s Encrypt service looks interesting but not yet open I think?

You’re right. Browser-trusted certificates apparently arriving later this year. Certainly one to watch due to the automated tech they’ve created.

ruud wrote #294619:

StartSSL offers free certificates.

Thanks ruud!

Offline

#9 2015-09-10 08:56:13

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http vs. https

StartSSL…

No charge, unlimited + 100% free

Whew, good thing it’s no charge and 100% free.

But for the first year only, apparently?

Offline

#10 2015-09-10 09:16:07

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,259
GitHub

Re: http vs. https

GugUser wrote #294590:

Although it is a little outside of the theme, here an additional observation: In the visitor logs the referrers with https are listed falsely as http://https://www.google.ch/ and are clickable, but the page can not be found, logically.

I understand that bug was identified, fixed, and committed – but it didn’t make it into the 4.5 branch before 4.5.7.

I’ll check for it – back shortly.

I found it – r4681 – it was added to 4.x branch. It was fine-tuned by r5075 and both commits appear to have made it GitHub intact.

Last edited by gaekwad (2015-09-10 09:24:47)

Offline

#11 2015-09-10 09:29:58

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: http vs. https

Destry wrote #294625:

StartSSL…
Whew, good thing it’s no charge and 100% free.
But for the first year only, apparently?

No. You have to get a new one each year, but it’s free. I’ve used them for several years now. Besides, next year “LetsEncrypt” should be operational and perhaps that will simplify matters.

Offline

#12 2015-09-10 09:43:37

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,259
GitHub

Re: http vs. https

Also, speaking of SSL more generally, standard certificates are really not that expensive in the grand scheme of things. Gandi do a free cert for the first year with a new registration, and then it’s 12EUR a year (1EUR a month, under 0.04EUR a day, etc) if you want to carry on. About 30EUR for three years if you buy upfront.

Offline

Board footer

Powered by FluxBB