TNG and SSL

From TNG_Wiki
Jump to: navigation, search

What is SSL?

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

Why SSL? The Purpose of using SSL Certificates

This article from the SSL Shopper website covers many Frequently Asked Questions about SSL

  • Why SSL?
  • Benefits of SSL
  • Disadvantages of SSL

How do I install SSL?

SSL is installed on your host server, so it is a product that your host provider normally deals with. You may wish to check to see if your host provider SSL policy is listed in the next section. Otherwise you may contact them to see what SSL products they provide. Some of the questions you may want to ask them are

  • What are the certificate options the hosting provider provides - paid/free?
  • If the provider only has paid options, can a free certificate be installed?
  • Who can do the installation - provider/customer/ both and if there are any costs involved?
  • Who can do the redirect - provider/customer/ both and if there are any cost involved?
  • (For the benefit of other users, you are invited to post your host provider policy in the next section)

Change Genealogy URL

You need to change your Genealogy URL to use https to eliminate the mixed content error message display in Firefox or SeaMonkey. The Genealogy URL is used by TNG to resolve internal links to images and other TNG components.

Redirect HTTP to HTTPS

Depending on your server set-up. A redirect may have to be put in place so that your users will go to your secure https address by default. The redirect file for TNG would be named .htaccess and reside in folder above the TNG root folder. An example file, which has worked with Simply Hosting and ICDSoft web sites is:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


Note: Should the URL 'lock' icon normally seen when using SSL turn to 'not secure' using the Chrome browser, ICDSoft recommends the following addition to the .htaccess file in the TNG root folder.

<ifModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

TNG to SSL Issues

Ordinarily, the transition to a secure address is seamless and all pages on your site will display the green padlock in the browser address bar which indicates that your site is secure.
There are however issues that can cause your site or certain pages on your site to display security (mixed content) messages. If you get mixed content messages, first make sure your Admin > Setup > General Settings > Site Design section has an updated Genealogy URL that uses https before you go chase other problems.

These are normally a result of customisations made to your website. These can be related to code additions/changes that have been made in the header, footer, main body or menus. More info - Mixed content blocking in Firefox
To secure your site, you will need to identify this unsecured content and make the necessary code changes yourself as your hosting provider can not be expected to make corrections to any customisations made to your website.
Your host provider is more than willing to help with any other transition issues.

Note that if you did not update your Genealogy URL to use https, the favicon link will be generated as http:// for your $tngdomain based on your config.php file and cause a mixed content error.

Note that you also should enter 'https' instead of 'http' in the .htaccess file when using an "403 - Forbidden" error document as described in Prevent_Directory_Listing.

Hosting Providers

Hosting Provider Policy
Simply Hosting The (currently recommended) hosting provider Simply Hosting include SSL by Let's Encrypt, at no extra cost.
(As at 15 Sep 2016) Anyone with them should be able to see their secure site by simply changing the address in the address bar to https. To get your users to enter your secure address site by default you will need to get a redirection from your http address to your https address put in place. If you ask them nicely, Simply Hosting may do this for you for free. Only time will tell whether Simply Hosting will put in place a policy of redirecting all their TNG sites to https by default or not. So if you are with Simply Hosting you may not have to do anything and it will eventually happen automatically free of charge.
If you experience problems with unsecured content alerts after installation, please refer to the Trouble/Problems section
ICDSoft Currently, ICDSoft recommends GEOTRUST's Rapid SSL $30 (1 subdomain,static seal, 10k warranty) or QuickSSL premium $150 (1 subdomain,dynamic seal,100k warranty), as well as COMODO's Essential $35 (1 subdomain,static seal,10k warranty) or Essential Wildcard $150 (unlimited subdomain,static seal,10k warranty), all prices per annum. After payment, ICDSoft handles the installation of the SSL certificate, after which the site owner is alerted. The site owner is responsible for the redirection, but ICDSoft provides the recommended entries for the .htaccess file. ICDSoft's SureSupport team is very responsive, usually answering questions in a few minutes 24/7.
We just started offering Let's Encrypt certificates. You can install a certificate for your domain via the "SSL" -> "Let's Encrypt Certificates Manager" section in the hosting Control panel --Ken Roy (talk) 06:39, 11 October 2016 (CDT)
TNG Web Hosting (Owner comment via TNG community forum)
(Host Provider Name) (Users are invited to post their host provider policy here)

ICDSoft Let's Encrypt

ICDSoft has started offering Let's Encrypt free certificates. To install them use the following approach:

  1. select the SSL icon on the control Panel
  2. click the Continue button on the next screen
  3. select your domain and subdomains for which you want certificates
  4. click the Enable button
  5. change your Genealogy URL to use https to eliminate the mixed content error message
  6. enable redirect from http to https
    note you may want to resolve any mixed content before enabling the http redirect to https

Ordering and Installing SSL on other Host Provider servers

Here is a small guide on how to use a SSL-certificate for a TNG installation. (Translation provided by Olaf and Arnold).

SSL und IP

When ordering the SSL Certificate you also need to order a fixed IP address, so that your internet service provider (ISP) can install the SSL certificate in your hosting account.
If your hosting account already includes the SSL / IP feature, which, of course, makes it unnecessary to order it separately and is also more convenient and cheaper. - So definitely ask your ISP, search their website, or read your account conditions!!

SSL certificate providers

SSL-Certificate can be obtained from

CSR-Generator

CSR Generator by Methfessel Computers

Methfessel Computers offers a CSR generator which will produce the CSR code which is the first item needed to fill in Xolphin application form.

CSR Generator by Methfessel Computers

The CSR-Form requires:

  • Country (ISO 2 letter code)
  • State / Province
  • City / Place of Residence (e.g. City)
  • Name of Organization (company)
  • Section
  • Domain (common name)
  • eMail (email)
  • "DE"
  • "Some State"
  • "Place"
  • "First and lastname"
  • "Homepage" (***)
  • "domain.tld"
  • "admin@domain.tld"

The data from the CSR code to be entered in the form, will depend on the type of the SSL-Certificate. Depending on the value of the SSL certificates different information from the CSR code are expected and processed in the SSL certificate.
(***) "Abteilung (section)" - what one enters there is not as crucial as this is not queried in favorable certificates / processed.

IMPORTANT:
You MUST keep the data entered in the two text fields Private Key and Ihr CSR safe, as text files, either on your hard drive or some other storage medium because they can NOT be recreated!

Apply SSL certificate

Copy the generated CSR code and paste it into the "Uw CSR" field of the certificate provider Xolphin.

Xolphin: Paste CSR-Code
Put in "Uw betalingskenmerk" the (German) postal code and the place, because Xolphin can not handle 5-digit postal codes.
Put Dutch postal code in "Postal code" because Xolphin can not handle 5-digit postal codes.
Put Dutch postal code in "Postal code" because Xolphin can not handle 5-digit postal codes.

Trouble/Problems with TNG and SSL

Ordinarily, the transition to a secure address is seamless and all pages on your site will display the green padlock in the browser address bar which indicates that your site is secure.
There are however issues that can cause your site or certain pages on your site to display security (mixed content) messages. These are normally a result of customisations made to your website. These can be related to code additions/changes that have been made in the header, footer, main body or menus. More info - Mixed Content and Mixed content blocking in Firefox
To secure your site, you will need to identify this unsecured content and make the necessary code changes yourself as your hosting provider can not be expected to make corrections to any customisations made to your website.
Your host provider is more than willing to help with any other transition issues.

The following are some known issues:

Known Specific Issues in early versions of TNG

  • Since the Simile Timeline is generated by a TNG program script that executes code on another server (http://simile.mit.edu/timeline/) over an insecure HTTP connection, the SSL connection prevents the code execution! Solution is the local installation of the simile timeline scripts and adjust the pathes in the file timeline2.php.
  • If you ignore the security warning message, the SSL-certificate will always show a security error in the browser bar.
  • The TNG Captcha Mod provided by Roger Moffat that uses Google reCaptcha will not be displayed. So you will need to use a different Captcha mod (e.g. of Rick Bisbee)
  • Other Google-scripts (Google Maps) running over non-secured connections to Google servers. With Google addresses one can modify the URL to use HTTPS, so that the security warning are no longer displayed. - After all, with TNG, one would not want to do without Google maps.

Non-Specific Issues including recent versions of TNG

The basic TNG installations from version 10 onward have no known unsecured (mixed) content and should not generate any browser security messages, provided you have updated your Genealogy URL in Admin > Setup > General Settings > Site Design to use https. The only issues that you may encounter are due to any modifications and/or customisations that have been added to the basic TNG package. Some of the more common types of insecure content are listed below

  • Images coming from an unsecured source
  • Scripts coming from an unsecured source
  • Scripts that pull content from an unsecured source (for example... an RSS feed with unsecured images)
  • The World Map Mod currently generates mixed content
    Fixed in v11.0.2.0
  • The Ancestor map mod does not currently support https
    Fixed in v11.0.2.3

Identifying Unsecured (Mixed) Content

Using Firefox browser

  • Select the Tools menu
  • Select the Developer tool
  • Select the Web Console in the Developer submenu
  • Click on the Security tab in the Console inner menu

This will display a list of unsecured content on that web page

Using Chrome browser

  • Click on the ... icon stacked vertically in the top right of the browser
  • Select More Tools from the displayed list of options
  • Select Developer Tools
  • Click on the Console tab

This will display a list of unsecured content on that web page

Fixing of the problems

Simile Timeline

Download the zip file at timeline_libraries_v2.3.0.zip, which contains the scripts of the Simile Timeline. Upload the "timeline_2.3.0" folder to the TNG js-folder.
In the file 'timeline2.php' the paths need in the lines 338-351 adapted and two lines are added. Changed this would display so (area, if necessary, replace completely):

if($pedigree['simile']) {
$flags['scripting'] .= "<script type=\"text/javascript\">
var tlstartdate = \"" . ($row['birth'] + floor($deathage/2)) . "\";
var xmlfile = \"" . getURL("ajx_timelinexml",1) . "earliest=$earliest&latest=$latest\";
var yearpct = \"" . $ypct . "%\";
var monthpct = \"" . $mpct . "%\";
var yearmultiple = " . $ymult . ";
var yearpixels = " . $ypixels . ";
var monthpixels = " . $mpixels . ";
var Timeline_ajax_url = \"" . $cms['tngpath'] ."js/timeline_2.3.0/timeline_ajax/simile-ajax-api.js\";
var Timeline_urlPrefix = \"" . $cms['tngpath'] ."js/timeline_2.3.0/timeline_js/\";
var Timeline_parameters = 'bundle=true';
$flags['scripting'] .= "<script type=\"text/javascript\" src=\"" . $cms['tngpath'] ."js/timeline.js\"></script>\n";
$flags['scripting']  .= "<script type=\"text/javascript\" src=\"" . $cms['tngpath']  ."js/timeline_2.3.0/timeline_js/timeline-api.js\"></script>\n";
}

Image Captcha

With the use of the modification Image Captcha add-on by Rick Bisbee the Captcha functionality can be used without error. Who the offered graphics do not like, it can complement with your own pictures.

Google Maps

The map display, which is integrated in TNG, load the needed scripts fit to http or https. Only if additional or separate pages are installed with maps from Google, which recharge the API scripts separately, the API link to https must be changed if necessary.

Unsecured Images and Scripts

Unsecured images and scripts will need to be sourced from a secure (https) source or removed from customisations and modifications. In many cases this will only involve changing the source address from http to https. Otherwise you will need to get the secure version of the source material, This may require contacting the author of the content.

Note that you should first change your Genealogy URL in TNG Admin > Setup > General Settings in the Site Design and Definition section to use https and see if that resolves some of the unsecured sections of your web page.

Mods

If a mod is found that has SSL issues, the Mod Developer would be the person to contact for resolution.

Related Links

Why SSL? The Purpose of using SSL Certificates

TNG - SSL Certificate neccesary?

SSL-HTTPS a UK Experience

SSL and HTTPS Redirection a Cautionary Tale

Mixed Content

Mixed content blocking in Firefox