Not logged in. · Lost password · Register
Forum: Support Installation, update and import RSS
All pages using SSL: Why?
Avatar
NFG 2007-09-28, 04:44 #1
Member since Sep 2006 · 120 posts
Group memberships: Members
Show profile · Link to this post
Subject: All pages using SSL: Why?
I recently installed UNB on a new site and all the pages after the main forum page are using HTTPS.  I can't find anywhere I've set it up to use secure connections, and I don't really want to keep using them.  I can't find anywhere in the setup to enable such a feature... 

How do I turn it off?
Avatar
Yves (Administrator) 2007-09-28, 15:49 #2
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
UNB keeps the current HTTPS status. If one page is requested via SSL, all following will do so, too. If you just drop the "s" from the URL for one page, all other links should be non-SSL, too. Right?
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
NFG 2007-09-28, 16:07 #3
Member since Sep 2006 · 120 posts
Group memberships: Members
Show profile · Link to this post
No, and this is the mystery.  ALL links are https, even if the original link is not.  For example the site splashpage is insecure, click through to the forum and it's insecure, but ALL links are secure from that point. 

If I select any page on the forum and make it insecure, all links from that page are still to secure pages.

Please check it out yourself:  [Link removed upon request]
This post was edited on 2007-10-01, 14:21 by Yves.
Avatar
Yves (Administrator) 2007-09-29, 22:53 #4
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Okay, I see. Can you please check what value the PHP variable $_SERVER['HTTPS'] has on your server? You can try an empty text file named something.php with only this content:

<?php echo $_SERVER['HTTPS']; ?>

If it's not empty if not using SSL, then your server is the first one that shows this behaviour. It should be "on" is using SSL and empty if not.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
NFG 2007-09-30, 00:37 #5
Member since Sep 2006 · 120 posts
Group memberships: Members
Show profile · Link to this post
I ran a PHP info check when I was looking into this, and the HTTPS value was:

_SERVER["HTTPS"]    off

It's not empty, obviousy, and it's not ON either.
   
Now I run this in a fairly unique environment I think - using Aprelium's Abyss webserve on a Windows machine.  SSL support is a new feature for this server and it's possible something's not quite right.  I talk to the authors of the system frequently and if you could describe the way UNB checks the HTTPS status, maybe they can determine how it's broken, or maybe how the check is failing.
Avatar
Yves (Administrator) 2007-09-30, 14:23 #6
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Well, UNB simply checks whether this variable's value is "not false". So any non-empty string (other than "0") will do to trigger SSL. From what I've often seen on Apache servers, this variable is "on" is SSL is used and it's empty or unset, if SSL is not used. I could change the way how UNB checks this, but if those guys are going to change their server more towards Apache's behaviour, that would be fine for me, too.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
NFG 2007-09-30, 17:10 #7
Member since Sep 2006 · 120 posts
Group memberships: Members
Show profile · Link to this post
I asked Moez of Aprelium about this, and here is his response:

When choosing how to fill that variable, we decided to find a compromise between IIS and Apache.

In the current Apache implementation, when mod_ssl is enable, variable HTTPS is exported and is set to "on".

When mod_ssl is disabled, no such variable is exported.

In IIS, the variable is always exported, and it is set to "on" if the site in on https://, "off" otherwise (http://msdn2.microsoft.com/en-us/library/ms524602.aspx ).

So Abyss Web Server followed IIS' way of doing things which is compatible with Apache's provided that the script checks for $_SERVER['HTTPS'] == "on". Actually Apache documentation states that HTTPS is set to "on" when there is HTTPS but does not say anything regarding the case when the site is on http:// only. So it is wiser to check for what is documented ( $_SERVER['HTTPS'] == "on" ) and not rely on an undocumented feature ( isset($_SERVER['HTTPS']) ). Even in mod_ssl's examples, checking if a server is on http:// is done using:

RewriteCond          %{HTTPS} !=on

(found in http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html ).

By the way with its current code, the script (UNB) will also misbehave on IIS which represents a large share of Web servers out there.

So for the sake of broader compatibility with Web server (IIS and others) and for a strict compliance with Apache documentation, it would be better that the script changes the way it checks for HTTPS .   

Since no one else has noticed the problem, I think it's probably safe to wait for the next release if any changes are to be made.  For the time being though, I'd love it if you could tell me where to look to change the SSL check in UNB, as I'd prefer the board not use SSL. 

Thanks Yves.
Avatar
Yves (Administrator) 2007-09-30, 18:16 #8
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Their explanation sounds reasonable. I wasn't aware of how IIS handles it. So I'll change all checks against the value "on" now.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
NFG 2007-10-01, 02:13 #9
Member since Sep 2006 · 120 posts
Group memberships: Members
Show profile · Link to this post
Imagine my surprise when, a few short minutes later, I see there's a new version of UNB out.  Fast work, Yves, thanks very much.

Do you suppose I could trouble you to remove the link to my site in post #3?  I can't edit it myself...
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:

Go to forum
This board is powered by the Unclassified NewsBoard software, 20110527-dev, © 2003-2011 by Yves Goergen
Page created in 480.6 ms (394.7 ms) · 90 database queries in 406.3 ms
Current time: 2012-02-08, 09:31:57 (UTC +01:00)