HTTPS

This forum is for ideas for the layout of the site and forums, both appearance and content.
ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #0  (ISO)  » Wed Nov 16, 2016 8:07 pm

I just signed up here, and was very surprised when I realized that mafiascum.net isn't served over HTTPS. Therefore, especially in light of the recent breach, I would like to highly recommend at least offering HTTPS. Personally, I would also redirect HTTP requests to HTTPS, but if you still need/want to offer the site over HTTP that's great too.

HTTPS probably didn't make much sense years ago when this site was founded because of cost constraints, but nowadays reliable HTTPS is free, easy, and can be automated. I can send the relevant setup instructions if the admins need any guidance.

Kison
.GIFted
 
User avatar
Joined: January 22, 2007
Location: Silver Spring, MD

Post Post #1  (ISO)  » Wed Nov 16, 2016 10:17 pm

Thanks, will take a look at that. Have not seen that before.
Let's Make MS Great Again.

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #2  (ISO)  » Thu Nov 17, 2016 1:28 pm

Didn't have time to write a detailed post at the time of writing, but I might as well now. I've already gone through HTTPS deployment, and made all the stupid mistakes, so I'll share my experience to help you guys.

The official Let's Encrypt client is developed by the EFF, and called Certbot. Their website has install instructions for a large variety of servers and operating systems. While not required, I'd recommend creating a config file with the options you need, similar to:

Spoiler: /etc/letsencrypt/cli.ini
Code: Select all
# 2048 or 4096 are both good
rsa-key-size = 2048
# Email that will get notifications (Mostly expiration warnings)
email = admin@mafiascum.net
# Use apache to prove control of the domain
authenticator = apache


Personally, I'd recommend running Certbot in certonly mode, instead of the automatic certificate install, which allows for better control. In general, most people generate a certificate for domain.com and www.domain.com, and then one for each subdomain.
Spoiler: Get Certificates
Code: Select all
# Format:
# letsencrypt certonly -d domain.com -d www.domain.com
# Note: The binary may be called something else, like certbot or letsencrypt-auto, depending on the OS

letsencrypt certonly -d mafiascum.net -d www.mafiascum.net
letsencrypt certonly -d wiki.mafiascum.net


Mozilla has a useful config generator for HTTPS site config here. In my experience, unless you expect expect really old clients (like XP era), modern is a good setup. The commands to generate the certificates should've outputted where they are.

Now, at this point, you have a choice of whether or not to enable HSTS (HTTP Strict Transport Security). Basically, HSTS tells browsers to always use HTTPS to connect to the website, to prevent downgrade attacks.

Once you're done, I'd recommend using Qualys SSL Tester to check your setup.

Finally, automating renewal is fairly easy. First, check that renewal will work.
Code: Select all
letsencrypt renew --dry-run --agree-tos

Then, add this to a cron or systemd job. It's recommended you run it once or twice a day (If the certificate doesn't need to be renewed nothing will happen).
Code: Select all
letsencrypt renew


Hopefully something here helped :].

Kison
.GIFted
 
User avatar
Joined: January 22, 2007
Location: Silver Spring, MD

Post Post #3  (ISO)  » Sun Nov 20, 2016 5:21 pm

Thanks, I will play around with this once I get through the backlog of other stuff I have to do. :)
Let's Make MS Great Again.

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #4  (ISO)  » Mon Nov 21, 2016 4:05 pm

Nice. By the way, I've done PHP in the past before, would I be able to help out on the site (especially because I'm just sitting around waiting to get put into my first game right now :))?

Kison
.GIFted
 
User avatar
Joined: January 22, 2007
Location: Silver Spring, MD

Post Post #5  (ISO)  » Mon Nov 21, 2016 4:09 pm

Definitely. I'll send you a PM.
Let's Make MS Great Again.

zakk
Jack of All Trades
 
Joined: September 01, 2013
Location: Under the sun

Post Post #6  (ISO)  » Tue Nov 22, 2016 9:44 am

Woot. Welcome CJC!!
"Impressive performance by zakk!" – copper223
"Thumbs up to zakk for carrying us" – Shinobi
"I have to say I'm really impressed with zakk" – Vi
"Slowly falling in love with you" – CuddlyCaucasian

Papa Zito
Normally Badass
 
User avatar
Joined: April 05, 2009
Location: Tejas
Pronoun: He

Post Post #7  (ISO)  » Tue Jan 31, 2017 5:16 pm

bunp
Kappa

Age is a very high price to pay for maturity.

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #8  (ISO)  » Tue Feb 14, 2017 9:25 am

HTTPS has been implemented on the site, and is currently forced on the wiki. It will be forced on the forums once we work out all the kinks (Site chat and images are the known ones right now).

I'll see if I can get Kison to do HSTS once we know HTTPS works for sure to safeguard HTTP links.


[ + ]

Return to Site Ideas

cron