Offline
Toronto, Ontario, Canada

I think that it's high time that chipmusic.org added SSL and all traffic used secure connections. Our traffic here might not seem "important" but I think these days that all web traffic ought to be secure and it's no longer prohibitively expensive to do.

Thanks to the EFF and Let's Encrypt the process is now free and relatively easy. I've been using Let's Encrypt signed certificates on all of my websites for a while now and I'm more than happy to answer any questions about how to go about the process if any of the admins have questions.

Offline
Earth

I was going to bring this up. The ios app doesn't like connecting to insecure websites anymore.

Offline
Tacoma, WA

Auto-renew on the Let's Encrypt certs is really handy too! I do a fair bit of pen-testing for work, so if there are some other issues that come up, I would be happy to assist with.

Offline
Tacoma WA

i'll bring it up in the super secert mod lobby

Offline
Sweeeeeeden

jeff: Currently, chipmusic.org runs on a Site5 account. There's ssh access but I believe it's managed hosting, so no access to root or global server config. According to their FAQs, LE is not supported at this time. If you have information on how to get LE working on Site5 in particular I'd be willing to listen. But otherwise, switching to a different provider is unfortunately something that neither me nor Tim has the time to do atm.

Offline
Los Angeles

We are actually running a VPS, which should support SSL. I need to look that stuff up.

Offline
Tacoma, WA

What service are you guys using? Hostgator, DigitalOcean, Linode, or something else?

Offline
Sweeeeeeden

Site5, but currently planning to move the site because of this discussion.

Offline
vancouver, canada

on a related note: Chrome now blocks flash, which in turn blocks the music players here (and on weeklybeats btw).  you have to right-click the container element and clck "Run this plugin" in order to play a song.  it's worse on weeklybeats because the flash widget is crammed into a 1x1 pixel area.

i know that this flash component was used mainly to avoid having to encode everything in more than just mp3 and browser wars were muddying up the possibility of just sticking with mp3.  however, http://caniuse.com/#search=mp3 shows that all browsers support MP3 now (except for Opera Mini but i'd say it's close enough).

so what's the over-under on swapping the flash player with a fully HTML5 player?  i can help source a suitable player (though it's not hard to just make one from scratch, with the <audio> element and a few well-placed JS handlers)

sorry to hijack the thread if this is too off-topic

Last edited by bryface (Jan 26, 2017 7:31 am)

Offline
France

+1 bryface.
Ok for using ssl (my CM.O account is so precious I wouldn't have it stolen), but before that I think it'd be wiser to focus developements on using html5 replay.

Offline
Toronto, Ontario, Canada
nitro2k01 wrote:

jeff: Currently, chipmusic.org runs on a Site5 account. There's ssh access but I believe it's managed hosting, so no access to root or global server config. According to their FAQs, LE is not supported at this time. If you have information on how to get LE working on Site5 in particular I'd be willing to listen. But otherwise, switching to a different provider is unfortunately something that neither me nor Tim has the time to do atm.

I'm not familiar with the specifics of that host but looking at the FAQ it seems to use SiteAdmin or cPanel? Both have some form of SSL Manager in the options that'll let you upload and configure your SSL/TLS. Most managed hosting doesn't allow you to directly touch Apache/server configs but the management interface almost always allows SSL/TLS configuration.

Forcing https:// is just a few simple lines in your .htaccess, something like this:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://chipmusic.org/$1 [R=301,L]
bryface wrote:

so what's the over-under on swapping the flash player with a fully HTML5 player?  i can help source a suitable player (though it's not hard to just make one from scratch, with the <audio> element and a few well-placed JS handlers)

I built my website's music player on jPlayer and it's API is both comprehensive and logical. It requires jQuery, so if you prefer plain js then you'd want to look elsewhere.

Last edited by jefftheworld (Jan 27, 2017 3:01 am)

Offline
Baja California

I like how you guys still care for the site despite low activity. Keep it up guys, there's plenty of good tips in here (Just hoping all the information  in the threads dosen't get lost like 8bc)

Offline
NUMBSKULL

Bumping this. I added SSL to my sites using cloudflare. It's super easy. Basically all you have to do change your nameservers to be cloudflare's nameservers. Also free. I am willing to help set it up!

ISPs will soon be able to sell your browsing history. The last thing I need is anyone finding out I still visit cm.o! big_smile

Last edited by catskull (Apr 4, 2017 4:27 pm)

Offline
UK
jefftheworld wrote:

I'm not familiar with the specifics of that host but looking at the FAQ it seems to use SiteAdmin or cPanel? Both have some form of SSL Manager in the options that'll let you upload and configure your SSL/TLS. Most managed hosting doesn't allow you to directly touch Apache/server configs but the management interface almost always allows SSL/TLS configuration.

Forcing https:// is just a few simple lines in your .htaccess, something like this:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://chipmusic.org/$1 [R=301,L]

I know cpanel deffo does so this is accurate, newer versions of cpanel have a wizard for adding SSL automagically, and the latest ones even support letsencrypt which would be free

If you do end up having to do it manually (if your VPS allows write access to the server config files) then you'll first need to find out if you're running apache or nginx, buy an apache ssl certificate from a provider such as godaddy, go through the process to generate the files required to upload to generate the certificate, upload those to the vps (with ssh i imagine), and reference them in the apache or nginx vhost configurations (depending on your setup). After the sites gone up and down a bunch of times while that config is tested then the .htaccess change can be used to force https if its apache or it'd be in the nginx config if its nginx. I imagine the vps for this forum is pretty old so its probably apache2. I was able to accomplish the manual set up using the digital ocean ssl setup guides even for none-d.o sites

good luck and feel free to message me if you get stuck

Offline
Unsubscribe

Im a patriot and have nothing to hide.

Offline
Toronto, Ontario, Canada
tearauth wrote:

If you do end up having to do it manually (if your VPS allows write access to the server config files) then you'll first need to find out if you're running apache or nginx, buy an apache ssl certificate from a provider such as godaddy, go through the process to generate the files required to upload to generate the certificate, upload those to the vps (with ssh i imagine), and reference them in the apache or nginx vhost

You don't need to purchase an SSL cert if you are using Let's Encrypt.