We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

Oxwall lockdown for SSL - HTTPS | Forum

Topic location: Forum home » Support » General Questions
Mark
Mark Feb 2 '14

Hello everyone I have been working on locking down Oxwall for SSL - HTTPS and I wanted to share some findings with anyone who may wish to run Oxwall on SSL and also at the same time I have some questions to pose for answers or suggestions.


So let's start off with some SSL errors I ran into and how they got resolved:


SSL errors stemming from YouTube thumbnails. Errors occurring in the newsfeed as well as on the left side block for videos.


The Fix Part 1:

In ow_plugins/video/classes/video_providers.php simply change the following code so that the http is instead https...


private function init()
    {
        if ( !isset(self::$provArr) )
        {
            self::$provArr = array(
                self::PROVIDER_YOUTUBE => 'https://www.youtube(-nocookie)?.com/',

class VideoProviderYoutube
{
    const clipUidPattern = 'https:\/\/www\.youtube(-nocookie)?\.com\/(v|embed)\/([^?&"]+)[?&"]';
    const thumbUrlPattern = 'https://img.youtube.com/vi/()/default.jpg';


The Fix Part 2: The above code change will not correct any videos that have already been added and only fixes future video uploads. In order to go back and fix previous videos go to the database and look for ow_newsfeed_action and look also for ow_video_clip. In these two areas you will have to sift the database and modify any http image src calls to be https instead.


Now SSL errors stemming from Facebook Connect: The FB connect was creating an SSL error like this:
'http://connect.facebook.net/en_US/all.js': this content should also be loaded over HTTPS. This was also causing the Facebook connect to fail and not work when clicked in the full site and also fail in the mobile site.


The Fix Part 1:

In /ow_plugins/fbconnect/controllers/connect.php make the code change shown below by merely changing the http to https:


public function xdReceiver()
    {
        $cache_expire = 60*60*24*365;
        header("Pragma: public");
        header("Cache-Control: maxage=".$cache_expire);
        header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$cache_expire) . ' GMT');

        echo '<script src="https://connect.facebook.net/en_US/all.js"></script>';

        exit();
    }


The Fix Part 2:

In community/ow_plugins/fbconnect/bol/service.php make the code change shown below by merely changing the http to https:


public function initializeJs($scope = null, $shareData = null )
    {
        if ($this->jsInitialized)
        {
            return;
        }
        $document = OW::getDocument();

        $document->addScript(OW::getPluginManager()->getPlugin('fbconnect')->getStaticJsUrl() . 'fb.js');

        $loginParams = array(
            'scope' => $this->scope
        );

        $fbLibUrl = 'https://connect.facebook.net/en_US/all.js';

        $uri = OW::getRequest()->getRequestUri();


After these changes the SSL error is gone and the button works great in the full site and the mobile site. If anything is amiss here or done wrong I would appreciate any suggestions or input.


Now there are still SSL problems in Oxwall that I have not fixed yet and I hope to get some help resolving these issues.


Problem 1: When a user adds a URL link to a post Oxwall goes to that site and grabs an image which it embeds in the post. Problem is the image URL is back to that site and when that site is not HTTPS then an SSL error ensues. What we need is for Oxwall to go and grab that image and add it into the Oxwall forum and then embed it internally under an HTTPS call. This way users can add links to no SSL sites and yet the post can display an image and still be SSL instead of hotlinking the image to an insecure site.


Problem 2: The Owall Admin page makes us of an Iframe that also has 4 insecure images as well the entire iframe link is insecure hotlinking back to http source. The 4 insecured images are: facebook_icon.png, ox-donate-btn.pong, rss_icon.png and twitter_icon.png. The insecure iframe hotlink for this block is: http://static.oxwall.org/spotlight/?platform=oxwall&platform-version=1.6.0&platform-build=7157 I am attaching an image of the block as well.


So, that's about it I have managed to fix a few things and some additional problems remain. Is it crazy to think that one day Oxwall is capable to install and run sweet on HTTP or HTTPS? I think it will happen for sure we just have to work together and implement a few changes.


Cheers to all and happy HTTPS-ing!




Attachments:
  oxwall_ssl_admin.jpg (45.87Kb)
#1
tammy harris
tammy harris Mar 6 '14
wow cool i was have same problem and could not find any answers 

in few days i will try this after i get other problems fixed


#2
ross Team
ross Mar 6 '14
Tammy, please let us know the results of applying those 'fixes'
#3
tammy harris
tammy harris Mar 8 '14
ross they are just the start  there is  lots more and i just found an easy way to find out whats actually wrong and the first intersecting point is for some reason the site logo from admin does not show up under https but lots of the other images on site do 
my logo image shows no https
http://www.yoursite.com/...es/theme_image_9.gif
photos from photo plugin in newsfeeds show no https but in photo page https show up 
even photos upload in newsfeed show up no https
http://www.yoursite.com/...ments/attach_316.jpg
these problems are in oxwall script and should be fixed by oxwall
there are heaps of other but they are plugin related and i will talk with developer about fixing them and give them all info on what and where needs fixing because im not going through plugins fixing stuff only to have update and lose everything 




heres a test to test your site for stuff thats not running on https on your site
http://www.whynopadlock.com/

also go to firefox right click and select page info then media icon 

now scroll down the list look for the stuff not being server with https sands out  with just http 

i will try get time next week to look into in more 

adds plugin banner rotatory thing seams like will be a problem not many banners from other site come over https

the only way i can see around that is make a blank page stile out everything and put adds code in then iframe that to general html
adds in side bar be a bit more tricky but i dont use it in side bar
#4
tammy harris
tammy harris Mar 8 '14
i just relised after i click send that iframe not work because banners still come from http
the add plugin will need lots rewrite and have to capture the banner from url or simple user copys the banner and has to upload it to the plugin so is being server by https

#5
ross Team
ross Mar 9 '14
I'm sorry but we do not provide instructions how to configure your website to work under https. You need to get that info from the place where you get that certificate or find a specialist. 
#6
tammy harris
tammy harris Mar 9 '14
ross most is easy to fix and i have done it and got it most working
logo was just have to reload it and make shore in png format anything else breaks it
i am left with 2 problem one is music extream is calling external images that are not https

i am talking to the developer about them and how they should be called locally

and same problem in younett social login calls external images  
no answer as yet from them 

i have few moer things to sort out then will try the vidoe mod 
 
The Forum post is edited by tammy harris Mar 9 '14
#7
Rob R
Rob R Sep 7 '14
Thanks so much for this Mark.  I'm just trying to use an inviter plugin under Facebook's new SSL api requirement.  Does my domain have to be 100% clean of errors for a plugin like this to work?

As an aside, I'm seeing errors to theme images in /ow_userfiles/themes/, errors in photo previews and avatars in addition to the youtube thumbnails you mentioned.

I'm using this service to pinpoint the errors:  http://www.whynopadlock.com/index.html
The Forum post is edited by Rob R Sep 7 '14
#8
Rob R
Rob R Sep 9 '14
Hmm just started going through the video_providers.php file and there are a lot more providers now.  Would it be safe to simply do a find/replace of HTTPS for HTTP?

For example:

    private function init()
    {
        if ( !isset(self::$provArr) )
        {
            self::$provArr = array(
                self::PROVIDER_YOUTUBE => '//www.youtube(-nocookie)?.com/',
                self::PROVIDER_GOOGLEVIDEO => 'http://video.google.com/',
                self::PROVIDER_METACAFE => 'http://www.metacafe.com/',
                self::PROVIDER_DAILYMOTION => 'http://www.dailymotion.com/',
                self::PROVIDER_PORNHUB => 'http://www.pornhub.com/',
                self::PROVIDER_MYSPACE => 'http://mediaservices.myspace.com/',
                self::PROVIDER_VIMEO => '(player\.)?vimeo.com/',
                self::PROVIDER_BLIPTV => 'http://blip.tv/',
                self::PROVIDER_GUBA => 'http://www.guba.com/',
                self::PROVIDER_BIGTUBE => 'http://www.bigtube.com/',
                self::PROVIDER_TNAFLIX => 'http://www.tnaflix.com/',
                self::PROVIDER_XHAMSTER => 'http://xhamster.com/'
            );
        }
    }
The Forum post is edited by Rob R Sep 9 '14
#9
TimoViBritannia
TimoViBritannia Sep 9 '14
hello, the fix for the video and fbconnect is not working for my website. Could you please help me.
#10
Rob R
Rob R Sep 9 '14
Timo, did you try and replace ALL http in the video providers php file?
#11
TimoViBritannia
TimoViBritannia Sep 9 '14
yes i did and for youtube it still makes the and not the
#12
Rob R
Rob R Sep 9 '14
I think the OP mentioned that the changes only affect new video posts.  All the old video posts are coded with HTTP.  For that you need to go through your database tables and edit them individually - more details in the OP's post above.
#13
TimoViBritannia
TimoViBritannia Sep 9 '14
yes but even when I post a video http://www.youtube.com/...... it doesn't work.
#14
tammy harris
tammy harris Sep 9 '14
I think you will have to check the site actually has https 

If the site you get the video does not have a ssl then the video won't work 

#15
tammy harris
tammy harris Sep 9 '14
Try put both rules in one for http  not one for https
#16
TimoViBritannia
TimoViBritannia Sep 9 '14
sry but I can't follow you what do you mean with "Try put both rules in one for http  not one for https"
#17
TimoViBritannia
TimoViBritannia Sep 9 '14
What exactly do you mean with both rules?
#18
Unus
Unus Feb 26 '16
are all these https problems not resolved yet?

from my point of view, not been able to easily switch to https (and run oxwall on https without so many problems) it's a major issue; rolling with http only it means everyone sends their passwords when they login in clear text over the wire.


I know about the ssl errors a site gets when is linking to non-ssl resources; that's why NY Times is not yet over https, however there are easi solutions for oxwall to fix all these cases (e.g. do not fetch non-ssl resources, just ignore them, I rather live with this than with an ugly error).


The Forum post is edited by Unus Feb 26 '16
#19
falancas
falancas Jul 8 '17
Has not this problem been resolved?


I am trying to solve the same problem!
#20
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software