Jump to content

Planned forum upgrade & downtime


implodedok
 Share

Recommended Posts

On 2/4/2016 at 7:31 PM, fabio said:

The web server should rewrite http URLs into https. This is apparently done by the forum, but this is not enough and causes some issues, e.g. the meetinglogs dir but also some links on the forum sometime wrongly behave.

What are the issues here exactly?  I just accessed & browsed the meetinglogs dir and it all seems to work fine.  If there are problems with some links, please specify what exactly the problems are and with which links.

On 2/5/2016 at 3:40 PM, fabio said:

It will also need a special rule for wildfiregames.com domain, someone should submit it to the EFF! :)

And the web server should also set HTTP Strict Transport Security. It is really simple to set up and together with http->https rewrite the proper thing to do when you want to serve your domain only with https.

We don't want to serve our entire domain with exclusively https currently.  For now it's enabled by default for the forums and for the 0 A.D. website, since those run web applications that handle user logins.  Everything else doesn't force https currently.  This may change in the future, but is not a priority and requires some further testing and evaluation.

On 2/5/2016 at 3:10 PM, niektb said:

I'm getting 400 errors (Bad Request). Refreshing the page resolves it most of the time but it happens fairly often (and it's a tad annoying). It might be related to my logout issues

This is a strange issue.  I haven't experienced this myself, nor do I have problems staying logged in to the forums.  Could this be related to virus scanners, firewall software or browser plugins?

Link to comment
Share on other sites

So I've created the rulesets for HTTPS Everýwhere. Please let me know if a domain or subdomain, which supports HTTPS, is missing from them.

As for the HTTPS config in general I'd like to point some things out:

  1. As already mentioned in this thread you could send the HSTS header. This would also give you an A+ at SSLLabs.
    Adding the HSTS header also does not mean you have to serve your entire domain (*.wildfiregames.com and *.play0ad.com e.g.) over HTTPS. This is only the case if you include the "includeSubDomains" option. If you leave this option out the header is only valid for the visited domain.
  2. The links to your releases (releases.wildfiregames.com) are still HTTP links. At least the one to the windows installer I checked.
  3. SSLLabs also reports you have some issues with Session resumption (caching): No (IDs assigned but not accepted)
    Fixing this should make all HTTPS connection faster.
  4. The emoticons cause mixed content issues as they are tried to load over HTTP.

Also nice you support HTTP/2 BTW. :)
The only thing, which looks quite bad IMHO are the smileys. Especially when you compare them to the rest of the forum design they look very outdated...

  • Like 1
Link to comment
Share on other sites

10 hours ago, rugk said:

So I've created the rulesets for HTTPS Everýwhere. Please let me know if a domain or subdomain, which supports HTTPS, is missing from them.

Nothing is missing as far as I know, but these rulesets are not needed.  Currently the forums redirect to https automatically, so does play0ad.com.  When we're ready, we'll do the same with other websites and/or subdomains.

10 hours ago, rugk said:

As already mentioned in this thread you could send the HSTS header. This would also give you an A+ at SSLLabs. Adding the HSTS header also does not mean you have to serve your entire domain (*.wildfiregames.com and *.play0ad.com e.g.) over HTTPS. This is only the case if you include the "includeSubDomains" option. If you leave this option out the header is only valid for the visited domain.

I have no idea how to do this with OpenLiteSpeed (the web server we're using).  I will look into this later, but this is not high on my priority list.

10 hours ago, rugk said:

The links to your releases (releases.wildfiregames.com) are still HTTP links. At least the one to the windows installer I checked.

This is on purpose.  Using SSL for the downloads could have a huge impact on the webserver, especially when a new release comes out and there are lots of downloads.  Besides, I honestly don't see the point in encrypting file downloads that are publicly available anyways.  I understand there's quite a hype around making everything https, but I do want to use our available resources as efficient as possible.

10 hours ago, rugk said:

SSLLabs also reports you have some issues with Session resumption (caching): No (IDs assigned but not accepted).  Fixing this should make all HTTPS connection faster.

I don't see it.  Session resumption (caching): Yes

10 hours ago, rugk said:

The emoticons cause mixed content issues as they are tried to load over HTTP.

You'd have to tell me where this is happening, so I can investigate.  You can check the link of this emoticon: ;)  It is https.

10 hours ago, rugk said:

The only thing, which looks quite bad IMHO are the smileys. Especially when you compare them to the rest of the forum design they look very outdated...

Do you mean the default smileys under "overview" or the extensive library that's shown when you open the "emoticons" category?  If the latter, then yes, I agree.

Link to comment
Share on other sites

2 hours ago, implodedok said:

Nothing is missing as far as I know, but these rulesets are not needed.

Okay, but that this is not needed is not true. Because especially if you do not use HSTS HTTPS Everywhere still protects against SSL stripping.

2 hours ago, implodedok said:

I have no idea how to do this with OpenLiteSpeed (the web server we're using).  I will look into this later, but this is not high on my priority list.

HSTS is basically just a HTTP header. And if I understand it correctly OpenLiteSpeed also uses Apache config files and there are many guides how to add a (HSTS) header in Apache. Also for only serving it via HTTPS (which is recommend anyway, because HSTS headers served over HTTP are ignored by clients anyway).

2 hours ago, implodedok said:

 purpose.  Using SSL for the downloads could have a huge impact on the webserver, especially when a new release comes out and there are lots of downloads.  Besides, I honestly don't see the point in encrypting file downloads that are publicly available anyways.  I understand there's quite a hype around making everything https, but I do want to use our available resources as efficient as possible.

Although TLS is indeed fast, especially if you also support HTTP/2 like you do I understand that you may not want to serve your releases over HTTPS by default.
As for HTTPS Everywhere users they'll get them over HTTPS (as they use this extension, it seems useful). The purpose of serving binaries over HTTPS is simple: Integrity. Because HTTPS does not only prevent eavesdropping on the traffic, but also makes sure the integrity of the packages is guaranteed. This means with HTTPS an attacker cannot modify the binary.

So I would at least recommend to put the hash (SHA-1 and preferable SHA-256) on the (HTTPS) download site, so that the user can verify the (HTTP) download manually.
 

2 hours ago, implodedok said:

I don't see it.  Session resumption (caching): Yes

I just rescanned and it is still there:

HTTPSError.PNG.394b43ab13faa687cdea65574

 

2 hours ago, implodedok said:

You'd have to tell me where this is happening, so I can investigate.  You can check the link of this emoticon: ;)  It is https.

E.g. in this thread there is this smiley:

http://www.wildfiregames.com/forum/uploads//emoticons/default_smile.png

It seems that all smileys inserted before the forum relaunch are still HTTP links... BTW on this page there is another mixed content: The social media icons, e.g.:

http://www.wildfiregames.com/0ad/images/new_icons/facebook.png

are served over HTTP.

FYI if you cannot rewrite all links or it is to difficult there is a "workaround" by using the CSP header.

 

3 hours ago, implodedok said:

Do you mean the default smileys under "overview" or the extensive library that's shown when you open the "emoticons" category?  If the latter, then yes, I agree.

It does not really matter. All the smileys are the default, old forum-smileys...
But I can live with them... ;)

  • Like 1
Link to comment
Share on other sites

It's really hard to tell anything from that screenshot, but it looks like you might have had a post that only consists of a quote, maybe that is what's wrong? I.e. there needs to be more text than just a quote. It's better to split up the quote and reply to the different parts individually anyway -- it can be really hard to tell what is the comment and what is the reply when someone is replying within a comment.

If what you were doing was something else, then please post more information since it's hard to tell, especially when the keyboard hides half the post.

Link to comment
Share on other sites

7 hours ago, feneur said:

It's really hard to tell anything from that screenshot, but it looks like you might have had a post that only consists of a quote, maybe that is what's wrong? I.e. there needs to be more text than just a quote. It's better to split up the quote and reply to the different parts individually anyway -- it can be really hard to tell what is the comment and what is the reply when someone is replying within a comment.

If what you were doing was something else, then please post more information since it's hard to tell, especially when the keyboard hides half the post.

I solved but don't let me edit my reply, because when try to save changes, say "required " i link the post where have this problem.

the problem was presented in quote like this, I'm not sure if was because I modify true quote, and the problem appears only in my iPad. I solved in my PC browser.

there is the link

 

Edited by Lion.Kanzen
Link to comment
Share on other sites

5 minutes ago, Lion.Kanzen said:

it was happen again but this time let me reply(Im in a computer)

 

 

Ah, that's just to tell you that there needs to be something there, you should still be able to edit the post and click save. If that doesn't work, then there is an issue, but if it's just the message everything is fine.

Link to comment
Share on other sites

In my iPad don't let me but in my computer I can,mother problem start when I try to copy something, my iPad copy entire page, so I try delete,  when I solved that little issue, and starting to give a reply out the box of quote, don't let me send my reply and says is required, so... What is missing, the warning need be more specific, yes I se something is required, but what is that thing, all look fine, and why my safari browser don't let me and my computer Firefox let me reply, as you see in the picture all looks fine.

Link to comment
Share on other sites

You write an @ symbol, then a space, followed by their username. It seems a bit hard to get to work all times, but if you get a list of names popping up after you have written the @ and a space it is working. It seems as if it only occurs in some cases, after commas and after some words. Not really sure :P

  • Like 1
Link to comment
Share on other sites

  • 3 months later...
  • 1 year later...
  • 6 months later...

I saw this in AoE forum , they have a lot of bots attacking spamming fake content like black magic and stuff like that.

So a user suggest this.

Quote

They really need a captcha or equivalent to be passed before posts are submitted. Something like what I attached would be perfect. It isn't known exactly how they work, but people are pretty sure it analyzes past user behavior/mouse movement to prove legitimacy of the poster. Genuine (i.e. human) mouse behavior is quite difficult to fake.

We are implementing this?

 

vqycf6y81rwq.gif

Edited by Lion.Kanzen
Link to comment
Share on other sites

  • 9 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...