Keith2 / lowendscript-ng

20 stars 10 forks source link

Defaults to ssl = problem with self signed certificates #14

Open koen84 opened 9 years ago

koen84 commented 9 years ago

I was just testdriving, so no ssl.

I notice everything gets linked over SSL, even if I access the home page on standard http. This means my initial page looks like this screenshot. schermafdruk 2014-11-29 05 01 25

Why ? Because the CSS (among other things) is linked over SSL and the browser blocks that because CA not valid. (So even with self-signed certificates installed by the script, it's not really as desired.)

Is it possible to turn off SSL (for whatever reason one might have) ?

Keith2 commented 9 years ago

Will have to look at this tomorrow, I can see this as well, it's just appeared after the latest changes. Looks ok on some, but not all browsers I've tried.

Keith2 commented 9 years ago

Go to your friendica directory and run php util/config system ssl_policy 2 Do not do this if you are replacing the self signed cert with a signed cert.

koen84 commented 9 years ago

Works like a charm. Will the http versus httpS be an option in the script ? (Currently only doing a proof of concept on a local testserver, so no plans on SSL.)

koen84 commented 9 years ago

I might have been too quick. Login + admin still go over SSL, worse, even clicking the "ignore" makes the admin interface lack any layout. (Okay, I can manually change the URL to http and then it looks okay.)

I do get why it wants to do login (and admin) over SSL, even if self signed. Though friendica seems to advocate better no SSL at all than self signed ? And it's not helpful the admin section (over self signed SSL) looses markup.

This issue (chrome + firefox) seems to be that the browser blocks non-SSL elements on SSL pages, in case : the css files are non-SSL and by default the login + admin section still get called over SLL (even after php util/config system ssl_policy 2).

Fronted only "compose message" and notifications / request changing category go wrong.

Keith2 commented 9 years ago

I dont't think you are using the latest version of the script, changing the url to http will still give https, php util/config system ssl_policy 2 no longer needs to be run. Try a new install with an updated script. If self signed remains a problem I'll go for a http version with optional https, using a pre installed signed cert.

koen84 commented 9 years ago

I used the version of the script when you acknowledged the option "all" was put back in. (2 days ago)

I'll try a fresh start with a newly fetched script a next day. Even if SSL is prefered, I think it's great if an issueless completely-non-SSL version exists. It's definitely "starter friendlier" and sometimes it can be the only (practical) option.

koen84 commented 9 years ago

The default install now does force httpS on everything, overcoming the initial problem of going to the non-SSL website. (Indeed without running the command.)

In an attempt to turn off SSL (self signed certificate and accomanying warning) I went to admin > website > policy SSL links : self signed CA ...

This resulted in chrome throwing up for redirect loops.

So it works correctly with SSL. Though running a communicity site with self signed CA is probably a bad idea, worse than no SSL. A free startTLS certificate is already in use to secure the login + admin of the website + guest sites. I doubt they like me make two for free. And paying for wildcard is rather expensive.

I'm not sure how to go from here.

Keith2 commented 9 years ago

I may have to do a rewrite without the self certified cert. You can have at least 2 startssl certs for the same domain, I have 2 for theshi.re, with a different subdomain being used for each one.

koen84 commented 9 years ago

I think it might be useful to have a non-SSL version, but I don't know how much work that is for you. SSL just adds to the complexity for a starting admin.

That's awesome. So I can have a startssl webserver.example.com and friendica.example.com (both would also include example.com but only useful for the first) ?

Definitely going to try that if I'll take a friendica community server to production. And since the friendica would be on a different host than the webserver, that makes a lot of sense. (Actually I currently have secure.example.com and I can use it to encrypt wordpress login + admin of several websites on the same server over it.)

Keith2 commented 9 years ago

The script has now been updated. The default is now non-ssl, optionally a pre-installed signed ssl cert can be used.

koen84 commented 9 years ago

Sounds great, will give it a new spin.