Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: LetsEncrypt for https://killtube.org

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts

    LetsEncrypt for https://killtube.org

    NOT RECOMMENDED YET

    RECOMMENDED AND ENFORCED ;^)

    Hey all,

    https://killtube.org/forum.php should work from now on. Since I had to reconfigure a bit, please post any bugs. ^^

    Regards, kung foo man

    Edit 1:

    For later lookup:

    https://nwgat.ninja/setting-up-letse...with-lighttpd/
    https://redmine.lighttpd.net/project...HowToSimpleSSL
    https://www.ssllabs.com/ssltest/

    Edit 2:

    Fucking shit, the post editor is not available in https:// mode and screws up the newlines, when a post is saved:

    Click image for larger version. 

Name:	https editor.png 
Views:	158 
Size:	23.6 KB 
ID:	1024

    GJ, VBulletin.
    timescale 0.01

  2. The Following 3 Users Say Thank You to kung foo man For This Useful Post:

    kubislav23 (15th March 2016),Mitch (15th March 2016),voron00 (15th March 2016)

  3. #2
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    My own script for letsencrypt on forum.jumpersheaven.com:

    Code:
    #!/bin/bash
    rm -rf letsencrypt
    git clone https://github.com/letsencrypt/letsencrypt
    rm -rf /tmp/letsencrypt
    mkdir -p /tmp/letsencrypt
    ./letsencrypt/letsencrypt-auto certonly --renew --webroot --webroot-path=/tmp/letsencrypt -d forum.jumpersheaven.com --email=INSERT@EMAIL.HERE
    rm /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
    cat /etc/letsencrypt/live/forum.jumpersheaven.com/privkey.pem /etc/letsencrypt/live/forum.jumpersheaven.com/cert.pem > /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
    chown :www-data /etc/letsencrypt
    chown :www-data /etc/letsencrypt/live
    chown :www-data /etc/letsencrypt/archive
    chown :www-data /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
    chmod g+x /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
    chmod g+x /etc/letsencrypt/live
    chmod g+x /etc/letsencrypt/archive
    With this as lighttpd.conf contents:
    Code:
    $HTTP["host"] =~ "forum.jumpersheaven.com"{
    	$SERVER["socket"] == ":443"{
    			ssl.engine              = "enable"
    			ssl.ca-file             = "/etc/letsencrypt/live/forum.jumpersheaven.com/chain.pem"
    			ssl.pemfile             = "/etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem"
    			ssl.honor-cipher-order  = "enable"
    			ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
    			ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
    			ssl.ec-curve = "secp384r1"
    			ssl.use-compression     = "disable"
    			setenv.add-response-header = (
    					"X-Frame-Options" => "DENY",
    					"X-Content-Type-Options" => "nosniff"
    			)
    			ssl.use-sslv2           = "disable"
    			ssl.use-sslv3           = "disable"
    	}
    	else $SERVER["socket"] == ":80"{
    		$HTTP["url"] =~ "^/\.well-known/"{
    			server.dir-listing = "disable"
    			server.document-root = "/tmp/letsencrypt"
    		}
    		else $HTTP["url"] =~ ""{
    			url.redirect = ("^/(.*)"=> "https://forum.jumpersheaven.com/$1")
    		}
    	}
    }
    I can just cronjob the first one and itll auto-renew my certificates
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

  4. The Following User Says Thank You to IzNoGoD For This Useful Post:

    kung foo man (16th March 2016)

  5. #3
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by kung foo man View Post
    NOT RECOMMENDED YET
    Fucking shit, the post editor is not available in https:// mode and screws up the newlines, when a post is saved:
    Indeed. Also the SSL labs test shows a few issues. The most important is to disable SSLv3 and check why the certificate chain is incomplete.
    LetsEncrypt is very easy to setup and renew for a Apache server.

    Edit: your attachment isn't https either.
    Edit 2: I found the issue with the editor. It is blocked because it is loaded via http.
    Last edited by Mitch; 15th March 2016 at 17:33.

  6. The Following User Says Thank You to Mitch For This Useful Post:

    kung foo man (16th March 2016)

  7. #4
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts
    I grep'ed through the source code and probably its:

    Code:
    ./includes/class_bbcode_alt.php:                    'src'          => $vbulletin->options['bburl'] . '/attachment.php?attachmentid=' . $attachmentid . '&stc=1',
    So $vbulletin->options['bburl'] is still pointing to http://, but couldn't find yet where it is initialized. I've asked in vBulletin forum, I hope they gonna answer, shouldn't be so hard for those people.
    timescale 0.01

  8. #5
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    Just add this to lighttpd.conf:
    Code:
    $SERVER["socket"] == ":80"{
    	url.redirect = ("^/(.*)"=> "https://forum.jumpersheaven.com/$1")
    }
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

  9. #6
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts
    Redirecting from http to https is going to add extra-requests though (which introduces useless latencies), I rather fix the path's in vBulletin directly, once I know where the bburl-variable is initialized.
    timescale 0.01

  10. #7
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts
    Click image for larger version. 

Name:	ssl_a_grade.png 
Views:	112 
Size:	24.4 KB 
ID:	1025

    Very nice, thanks IzNoGoD, config works great.

    The missing command to generate dhparam.pem: openssl dhparam -out dhparam.pem 4096

    There is an option in vBulletin to "force" a URL, which could be https:// then, but http:// wouldn't work then anymore, but rewrite all URL's directly to https:// then. I kinda wanna keep both, http:// and https://, I hope they gonna deliver a real answer in the vBulletin forum. ATM just crap like "activate that option muh". Maybe only allow https:// after all? Dunno if that could cause problems for some people.
    timescale 0.01

  11. #8
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    Could cause problems for ppl on windows XP using IE, and ONLY those people.
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

  12. #9
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts
    Trutru, https["state"] = "RECOMMENDED AND ENFORCED"
    timescale 0.01

  13. #10
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts
    The option --renew is now named --renew-by-default, so IzNoGoD's .sh would fail on that now.

    Notice to myself for the next time:
    Code:
    ./letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path=/var/www/forum -d killtube.org -d www.killtube.org --email=lama12345@gmail.com
    cd /etc/letsencrypt/live/killtube.org/
    cat privkey.pem cert.pem > privkey_plus_cert.pem
    /etc/init.d/lighttpd restart
    Letsencrypt auto-updates itself btw, didn't know that.
    timescale 0.01

  14. The Following User Says Thank You to kung foo man For This Useful Post:

    Mitch (12th June 2016)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •