SSL support and CloudFlare for Lanik.us forums

General forum information, announcements, news, questions and suggestions.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

SSL support and CloudFlare for Lanik.us forums

Post by LanikSJ »

All,

I've enabled SSL support for this forum as well as put it up on CloudFlare (http://www.cloudflare.com). If you have any questions please post them in this thread.

Thank you.
"If it ain't broke don't fix it."
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12220
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

Could use HSTS instead?
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

If you mean this then I would have to see if my host and/or CloudFlare support it.
"If it ain't broke don't fix it."
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12220
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

Cloudflare would support it, it'd query it with your host

https://raymii.org/s/tutorials/HTTP_Str ... httpd.html
harol
Site Member
Site Member
Posts: 13
Joined: Wed Jan 14, 2015 11:01 am

Post by harol »

fanboy wrote:Could use HSTS instead?
Here is what I put in .htaccess myself:

Code: Select all

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Later down the track you should also do this https://hstspreload.appspot.com/

Thanks again for enabling HTTPS!
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

harol wrote:

Code: Select all

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Thanks I've added that to my .htaccess (I wish I had access to Apache but its a hosted account :( ).

I've also added this to my .htaccess:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
harol wrote:Thanks again for enabling HTTPS!
You're welcome. We're passing usernames and passwords once people sign up and login and its about time we're doing it through HTTPS, especially this day and age.
"If it ain't broke don't fix it."
intense
Contributor
Contributor
Posts: 10494
Joined: Wed Mar 27, 2013 9:56 am

Post by intense »

now ...this forum is not available anymore from chrome on windows XP

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12220
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

Does it apply to Firefox in xp?
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12220
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

https://www.cloudflare.com/ssl
Universal SSL uses SNI certificates with ECDSA. SNI & ECDSA certs work with the following modern browsers:

Desktop Browsers

Internet Explorer 7 and later
Firefox 2
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later)
I can see why given security around older operating systems, as well as limitations by Chrome on XP.
intense
Contributor
Contributor
Posts: 10494
Joined: Wed Mar 27, 2013 9:56 am

Post by intense »

those still with windows XP (still 20% in windows world...) can use only firefox to visit the forum
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12220
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

Going by stats, XP Web Clients is around 16-5% depending on your measurement http://en.wikipedia.org/wiki/Usage_shar ... ng_systems (and decreasing).
  1. The options could be to disable hsts so it'll allow non-https for older browsers
  2. Ditch the CDN, and just use a cert
  3. Keep the status quo, given the small percentages of XP users. Firefox still an option here
While I'm surprised XP is still running, 14 years of the same OS doesn't seem a good idea given Microsoft isn't supporting it. And come this April Google Chrome won't support XP either.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

intense wrote:now ...this forum is not available anymore from chrome on windows XP

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Sorry I have no love lost for a 14 year old operating system. If this becomes more of an issue besides one person I may change my mind, but not at this time as a workaround is still available.
"If it ain't broke don't fix it."
User avatar
smed79
Liste AR/FR Author
Liste AR/FR Author
Posts: 15839
Joined: Sun Jan 17, 2010 4:00 am
Location: EasyList Forum

Post by smed79 »

intense wrote:now ...this forum is not available anymore from chrome on windows XP
on Windows XP, IE & Chrome can not manage ECDSA certificates > try using firefox or firefox portable edition.

source: https://code.google.com/p/chromium/issu ... ?id=431176
•► Read RULES / Use forum Search
••► Don't post clickable links
•••►Upload screenshots at imgbb.com
midas
Senior Member
Senior Member
Posts: 83
Joined: Mon May 07, 2012 6:59 pm

Post by midas »

I ended up here trying to find out why I couldn't access the forum anymore. At first I thought the site was down, until I figured out Chrome was the issue. And now I'm learning that you don't care about users on XP. Thank you, nice to know.
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12220
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

midas wrote:And now I'm learning that you don't care about users on XP. Thank you, nice to know.
Its not we don't care, XP is an aging OS and the limitation is within Chrome itself. The SSL/CDN upgrade is to benefit 90-95% of the community, over a small minority of users not willing to upgrade their OS.. what needs to give?

Anyways there is always Firefox to get around the issue of Chrome on XP.
arthurtiteica
New Member
New Member
Posts: 1
Joined: Mon Apr 13, 2015 7:01 pm

Post by arthurtiteica »

Cloudfare blocks Tor users by default with an unreadable captcha.

This may be disabled on a per cloudfare account basis.

Please look into it.

And just to get it out because I spent 20 minutes just to get the above message to you:

* lanik.us doens't have a webmaster@ email address.
* the keycaptcha required when registering doesn't work on Firefox 37 Linux. It may very well be some ublock/other addon interference but I did try disabling all for this site.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

I'll check for Tor settings on CloudFlare.

You're correct I'm not using webmaster@ email. I'm using a different email to keep my mailbox somewhat spam free. PM me and I'll tell you what it is.

Captcha worked for me on Chrome last time I looked.
"If it ain't broke don't fix it."
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

It's not a Windows XP issue, at least not solely, since I'm not using that. There is definitely connection issues that have nothing to do with the browser. I cannot access the website directly anymore, as I posted in the "bumping" thread, but was completely ignored by lanik.

The proxy I was using last time has now also been blocked and I'm having to use a different proxy to access the website, in the exact same browser.

While I could blame this issue on changing to cloudflare, the fact is this issue started happening AFTER that. So I can only assume a setting has been changed that is overly aggressive.

There is no captcha, the connection just times out.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

Around what time did it start happening?

I haven't made changes to CloudeFlare since I've set it up.
"If it ain't broke don't fix it."
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

Around the end of February/Beginning of March.
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

It seems to be getting worse by the day, with most proxy sites reporting an "SSL error" when trying to access the website.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

I don't see any proxy settings on CloudFlare. Then again I haven't been using it for long. If someone knows, other then me, knows about any proxy that would be great if they can share. The only thing I'm seeing is firewall logs sorted by IP so I could see what's going by IP if you can provide to me. Honestly I don't think its going to do anything beyond confirming there is a problem which we already know. I think this would be something you need to contact CloudFlare about since I have no control what they block or not.

Alternatively I suggest not using a proxy as its known to cause problems.
"If it ain't broke don't fix it."
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

I can't not use a proxy, I can no longer access the site directly... I HAVE to use a proxy just to access it, the site is completely broken. It seems there is some form of geo blocking enabled.

Here is an easy way to reproduce it:
https://hide.me/en/proxy
Select Netherlands
type forums.lanik.us
error

Now select USA
type forums.lanik.us
works fine
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

funkydude wrote:https://hide.me/en/proxy
That gives me a 404.
"If it ain't broke don't fix it."
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

Lanik wrote:
funkydude wrote:https://hide.me/en/proxy
That gives me a 404.
Eh? No it doesn't. It's a top search result.

startpage.com
search lanik forums
select view by ixquick proxy
403 forbidden

goto https://www.proxfree.com/
type forums.lanik.us
error

I don't really understand why this is taking so long for you to investigate. Personally I'd rather you revert the whole thing.
Restricting users to a site like this is outright stupid, this isn't some kind of top security banking website, it's a forum.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

Same problem ... 404.
funkydude wrote:I don't really understand why this is taking so long for you to investigate. Personally I'd rather you revert the whole thing.
That's not going to happen. I'm not going to revert those changes for 1 or even 2 users.
funkydude wrote:Restricting users to a site like this is outright stupid, this isn't some kind of top security banking website, it's a forum.
This is NOT up for debate. Its take it or leave it simple as that. Unless you're paying my hosting bills this is how it's going to be.
"If it ain't broke don't fix it."
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

Lanik wrote:Same problem ... 404.
You clearly have proxy websites blocked locally. We're not going to get any further with this until you work that out.
Lanik wrote:That's not going to happen. I'm not going to revert those changes for 1 or even 2 users.
What makes you think this only affects 1 or 2 users? I can't access the website directly, anyone with the same problem would naturally assume the website is down, it just times out. This is clearly a major issue if country specific proxies can't access the website.
Lanik wrote:This is NOT up for debate. Its take it or leave it simple as that. Unless you're paying my hosting bills this is how it's going to be.
That's kind of odd logic there. You're talking about bills in the way someone would reason trying to save money, yet the cloudflare approach is not for those trying to save money...
funkydude
Senior Member
Senior Member
Posts: 71
Joined: Sat Feb 12, 2011 3:46 pm

Post by funkydude »

Am I to assume you don't care enough to fix this?

When attempting to access via startpage proxy:
The page you requested could not be retrieved by the StartPage Proxy, as a "403 Forbidden" message was received.
It is possible that the page is not available to anyone. Alternatively, the page may require the use of a certain browser, or cookies, or a password, for access.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

funkydude wrote:Am I to assume you don't care enough to fix this?
You're right. I don't care to fix a problem one user is having that I can't reproduce.

Obviously if you're posting this you can get to the site.
"If it ain't broke don't fix it."
Locked