Scivillage.com: Planned Changes (Sept/2016)

#1
I'm currently in the process of looking at how to further secure the site and increase site performance.

Sometime back I mentioned that I wanted to get the site setup with SSL eventually and I'm currently looking into doing just that.  The problem I had is I have an SSL cert but it was incompatible with the CDN provided by my current Host.  I think however I might of found away around it and it shouldn't increase costs at my end (Which means I don't have to look for some revenue model to aid in maintaining the site)

It however requires me to turn off certain things that are currently on and change my nameservers entries within the DNS.  This means it should take approximately 48 hours to fully move from the current configuration to the SSL variant.  The problem with that of course is that should there be an unfixable issue with it, it will take up to 48hours to rollback and I really don't want to have site downtime.

I will post a timeline for the intended roll out after I've completed my current test (using another domain) as I want it to go as smoothly as possible.

When done, the site will be far securer and hopefully it won't have caused any disruption or too many problems with people being able to use it.

So fingers cross the test goes smooth.
Reply
#2
Update:  The Test seems to have gone smoothly.  It suggest's that it would be possible to setup the SSL cert.

Just to clarify this is what's intended:

[Image: sslfix.png]


The Current connection while being set for performance and hardened to some server attacks unfortunately doesn't encrypt a persons connection between Cloudflare or even the server. This means that although a password is hashed (and not plaintext) it's still potentially readable (along with other submitted information). It's a small risk (considering it's not like we are sending Telegrams to each other involving national secrets), but it's a risk none the less.

So with the Rollout working correctly, encryption will eventually occur between users and cloudflare, which in turn will deal with encryption between themselves and the server. Thereby making it near truly crypto-tunnelled. (The only thing that would be missing from making truly crypto-tunnelled is if the server actually did the cryptology itself and had the cert embedded on it, which it doesn't)

That's the pro's, the con is that I will lose the usage of the Mirage component of Cloudflare (Which is suppose to resize/compress images for mobile usage). I will also need to go through all my URL's and server related scripts looking for anywhere that I'd previously had HTTP hardcoded, since it will require rewriting to HTTPS. (This could break some scripts and make some images not show until fixed)

I'm not going to have a quick look to see how much of an effect that is going to cause and then we should be ready for the rollout.
Reply
#3
Update:
I will start the conversion later when it's quiet.
If it all goes horribly wrong and the site goes down for any reason, please use Twitter (@Scivillage) to keep updated.
Reply
#4
Update: Now in the preflight check... (partially done)
Reply
#5
Update:
A little bit further along. You might well notice that the site is now forcing HTTPS. I'm still waiting on CF (Cloudflare) to finish the complete SSL migration, I don't know how long that's going to take.

If you are having any problems logging in, please email me: webmaster @thisdomain (thisdomain being scivillage.com) or message via twitter.

If it's just posting problems etc but you can still login, feel free to PM me.
Reply
#6
>Depreciating the use of Update from now on:

Cloudflare is now up and running. It appears as if things are working (For some reason I'm still accessing direct from the server IP, but that should solve itself eventually.)

This setup now generates a few additional changes.

I can now set Cloudflare to push CAPTCHA's on certain rogue entities and even countries that were otherwise a concern in regards to server load. Previously I was attempting to block all access via CIDR's through a .htaccess file which was both slightly over aggressive (since it blocked entire countries potentially) and awkward (considering there is 4,294,967,296 IPv4 addresses and and ridiculously high number of IPv6) This should undermine bots and still leave the site accessible for those that are legitimately visiting.

Should you find yourself suffering from CAPTCHA's or weird error messages, just inform me and I can look at doing something in the configuration to work around it happening to you.

There's also far greater control over dealing with potential attackers, however we've been lucky so far with just load issues causing the main faults.

So if you notice a reduction in the number of lurkers, that's probably why.

In any event it seems a success.
Reply
#7
Mobile Theme bug
It seems I made a little mistake with the settings and the mobile theme wasn't resolving properly and was giving an error message. Hopefully that's been resolved, sorry for the inconvenience.

It was a problem with having turned on a cloudflare option for redirecting mobiles to a mobile page, I assume that it was causing a redirect loop with the original script for identifying mobiles and creating an error where it would never resolve. I've turned the option back off for now. (If you ever wonder why I go to some lengths to mention background goings on of what I do, it's partially because I know three months down the road I won't remember what I did and if I get stuck with the same problem again, I've got some notes to pull from.)
Reply
#8
Cloudflare CAPTCHA's

This shouldn't effect anyone here, (This happened to me elsewhere)
Should you find when you are doing multiple edits to a post that you are suddenly greeted by a message that mentions that you need to do a CAPTCHA and like me you went out of your way to set your browser to disable third-party scripts, you will likely find that the CAPTCHA is actually missing and can't be completed. What you will require doing is going back to the page you were making an edit, copy what you've written to a notepad and either disable to script blocker or switch to a browser that isn't set to block scripts before resubmitting the copied data back to the forum.

Who's Online is it anyway?
I've setup the who's online to be viewable by Guests. This is so it can actually be seen it people are on the forum, previously I think hiding it up for the reason of reducing bots (which worked to be honest) made it look like that there was no one here posting :/ Hopefully this is acceptable to you all, if you have any issues being seen online here by all means use the invisible option from within the UserCP if you haven't already.
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
Thumbs Up Scivillage.com Custom MYcode/BBCode stryder 8 1,453 Nov 28, 2017 08:44 PM
Last Post: C C
  scivillage.com QRcode stryder 0 5,857 Jun 29, 2016 03:36 PM
Last Post: stryder
  Scivillage changes. stryder 19 3,255 Nov 14, 2015 07:56 PM
Last Post: krash661
  Scivillage.com Downtime stryder 0 584 Dec 9, 2014 11:29 PM
Last Post: stryder



Users browsing this thread: 1 Guest(s)