https://asuswrt.lostrealm.ca/ access now secured through Let's Encrypt

[RMerlin]

Thanks to my hosting provider integrating Let's Encrypt support right in their control panel, the project website is now accessible over SSL/TLS.

I am considering this as "experimental" for now, and if all goes well after a while I will update all links to point back to the https URL. My provider's SNI support was causing a few problems last time I tried it, so let's hope it works better now.

(and no, this does not mean that Let's Encrypt support is being considered for firmware integration. First problem being the client uses Python, which means the whole setup would take more flash space than even the httpd server itself does...)

 

[Veky]

You should also fix the link to http://fonts.googleapis.com, Firefox is complaining.

 

[RMerlin]

You should also fix the link to http://fonts.googleapis.com, Firefox is complaining.

Which page? I didn't add this, so it could be inserted by the CMS.

Sent from my Nexus 5X using Tapatalk

 

[Veky]

In https://asuswrt.lostrealm.ca/sites/...FylDB5leeId70mIuC1s6brnZ24uJctjQyQil5XgXk.css

 

[RMerlin]

Hm, not sure how I can work around this, since there's no way for the CSS to know what protocol to use. This seems to be part of the skin's CSS.

 

[jeff288]

Hm, not sure how I can work around this, since there's no way for the CSS to know what protocol to use. This seems to be part of the skin's CSS.

Would this help? I'm sure you know a hell of a lot more about webdev than I do but it's the least I can do to help.

 

[krick]

Hm, not sure how I can work around this, since there's no way for the CSS to know what protocol to use. This seems to be part of the skin's CSS.

I'm pretty sure that you can just change the import URL in the CSS file to be "https" instead of "http".

EDIT: It looks like you can leave the protocol off entirely...

https://www.drupal.org/node/1921294

@import url(//fonts.googleapis.com/...)

 

[RMerlin]

EDIT: It looks like you can leave the protocol off entirely...

https://www.drupal.org/node/1921294

@import url(//fonts.googleapis.com/...)

Interesting tip, thanks! I'll take a look at it.

 

[Veky]

Interesting tip, thanks! I'll take a look at it.

Yep, either do that or just change http to https.

 

[RMerlin]

Yep, either do that or just change http to https.

Doing that would imply forcing every visitor to use https, something I'm not prepared to do just yet.

 

[Veky]

Doing that would imply forcing every visitor to use https, something I'm not prepared to do just yet.

You are only forcing them to use https for fonts.googleapis.com, which they should already be using for Google sites.

 

[RMerlin]

You are only forcing them to use https for fonts.googleapis.com, which they should already be using for Google sites.

Which would re-create the same issue for anyone accessing the site over http: the mixture of http and https links causes some browsers to complain.

The fix lies in having that @import URL become either protocol-aware, or manually storing those fonts on my server, and point at them.

There are numerous recommendations regarding this issue with Drupal, I just need to find some time to study them.

 

[BWR]

The browsers complain only when loading http assets for an https page URL. https assets in a http page URL are fine (most of youtube embeds in forums is done using https, for example).

 

[RMerlin]

The browsers complain only when loading http assets for an https page URL. https assets in a http page URL are fine (most of youtube embeds in forums is done using https, for example).

That's good to know. Hopefully that wouldn't change in the future tho, as they like to make all kind of odd changes "for the sake of security"

 

[Veky]

That's good to know. Hopefully that wouldn't change in the future tho, as they like to make all kind of odd changes "for the sake of security"

Besides, you are already using https for the PayPal donate button.

 

[RMerlin]

Besides, you are already using https for the PayPal donate button.

Good point. I forgot that the image itself was remote and not local.

 

[RMerlin]

I moved the embedded CSS URI to a function call inside the theme template, which will insert the CSS URI with the appropriate protocol.

 

[Veky]

Now it's a nice green padlock.

By the way, Let's Encrypt is out of beta.

 

[RMerlin]

Now it's a nice green padlock.

By the way, Let's Encrypt is out of beta.

Yep, and they got new backers as well.

Entrust and Verisign must not be very happy...

 

[RMerlin]

Thanks for the initial feedback. Unsticking this thread now, will start advertising the https URL in the documentation.

I'm undecided yet if I want to ultimately force all http traffic over https. It's not as if there was anything confidential on that site, so I like leaving the final decision to the end user.