Difference between revisions of "TNG and SSL"
| Line 12: | Line 12: | ||
=== Hosting Providers === | === Hosting Providers === | ||
*Internet provider [http://www.methfessel-computers.de/produkte/ssl/ Methfessel Computers,Wiesbaden] is used as an example. | *Internet provider [http://www.methfessel-computers.de/produkte/ssl/ Methfessel Computers,Wiesbaden] is used as an example. | ||
| − | *[[File:simply_hosting_icon. | + | *[[File:simply_hosting_icon.png|thumb|left|100px|Simply Hosting]]The (currently recommended) hosting provider [https://www.simplyhosting.net/index.php Simply Hosting] include SSL by default, for no extra cost. (As at 15 Sep 2016) Anyone with them should be able to see their secure site by simply changing the address in the address bar to https. To get your users to enter your secure address site by default you will need to get a redirection from your http address to your https address put in place. If you ask them nicely, Simply Hosting may do this for you for free. Only time will tell whether Simply Hosting will put in place a policy of redirecting all their TNG sites to https by default or not. So if you are with Simply Hosting you may not have to do anything and it will eventually happen automatically free of charge. You may go directly to the [[#Trouble.2FProblems_with_TNG_and_SSL|Trouble/Problems section]] |
=== SSL und IP === | === SSL und IP === | ||
Revision as of 16:21, 14 September 2016
TNG and SSL
Here is a small guide on how to use a SSL-certificate for a TNG installation. (Translation provided by Olaf and Arnold).
Why SSL? The Purpose of using SSL Certificates
This article from the SSL Shopper website covers many Frequently Asked Questions about SSL
- Why SSL?
- Benefits of SSL
- Disadvantages of SSL
Hosting Providers
- Internet provider Methfessel Computers,Wiesbaden is used as an example.
- The (currently recommended) hosting provider Simply Hosting include SSL by default, for no extra cost. (As at 15 Sep 2016) Anyone with them should be able to see their secure site by simply changing the address in the address bar to https. To get your users to enter your secure address site by default you will need to get a redirection from your http address to your https address put in place. If you ask them nicely, Simply Hosting may do this for you for free. Only time will tell whether Simply Hosting will put in place a policy of redirecting all their TNG sites to https by default or not. So if you are with Simply Hosting you may not have to do anything and it will eventually happen automatically free of charge. You may go directly to the Trouble/Problems section
SSL und IP
When ordering the SSL Certificate you also need to order a fixed IP address, so that your internet service provider (ISP) can install the SSL certificate in your hosting account.
If your hosting account already includes the SSL / IP feature, which, of course, makes it unnecessary to order it separately and is also more convenient and cheaper. - So definitely ask your ISP, search their website, or read your account conditions!!
SSL certificate providers
SSL-Certificate can be obtained from
- Xolphin, NL from 12 € /yr inkl.tax/BTW
- Namecheap, US from $9.00 /yr
- StartSSL™ Free, Israel No Charge / 1 Year Validity
- Let's Encrypt No Charge / 3 month Validity - SSL certificate generator
CSR-Generator
Methfessel Computers offers a CSR generator which will produce the CSR code which is the first item needed to fill in Xolphin application form.
The CSR-Form requires:
|
|
The data from the CSR code to be entered in the form, will depend on the type of the SSL-Certificate.
Depending on the value of the SSL certificates different information from the CSR code are expected and processed in the SSL certificate.
(***) "Abteilung (section)" - what one enters there is not as crucial as this is not queried in favorable certificates / processed.
IMPORTANT:
You MUST keep the data entered in the two text fields Private Key and Ihr CSR safe, as text files, either on your hard drive or some other storage medium because they can NOT be recreated!
Apply SSL certificate
Copy the generated CSR code and paste it into the "Uw CSR" field of the certificate provider Xolphin.
Trouble/Problems with TNG and SSL
The following are known issues:
- Since the Simile Timeline is generated by a TNG program script that executes code on another server (http://simile.mit.edu/timeline/) over an insecure HTTP connection, the SSL connection prevents the code execution! Solution is the local installation of the simile timeline scripts and adjust the pathes in the file timeline2.php.
- If you ignore the security warning message, the SSL-certificate will always show a security error in the browser bar.
- The TNG Captcha Mod provided by Roger Moffat that uses Google reCaptcha will not be displayed. So you will need to use a different Captcha mod (e.g. of Rick Bisbee)
- Other Google-scripts (Google Maps) running over non-secured connections to Google servers. With Google addresses one can modify the URL to use HTTPS, so that the security warning are no longer displayed. - After all, with TNG, one would not want to do without Google maps.
Update (15 Sep 2016)- The basic TNG installations from version 10 have no known insecure content and should not generate any browser security messages. The only issues that you may encounter are due to any modifications and/or customisations that have been added to the basic TNG package. Some of the more common types of insecure content are listed below
- Images coming from an unsecured source (http address)
- Scripts coming from an unsecured source (http address)
- Scripts that pull content from an unsecured source (for example... an RSS feed with unsecured images)
- (No mods to date have been identified as having any SSL security issues)
Fixing of the problems
- Simile Timeline
Download the zip file at timeline_libraries_v2.3.0.zip, which contains the scripts of the Simile Timeline. Upload the "timeline_2.3.0" folder to the TNG js-folder.
In the file 'timeline2.php' the paths need in the lines 338-351 adapted and two lines are added. Changed this would display so (area, if necessary, replace completely):
if($pedigree['simile']) {
$flags['scripting'] .= "<script type=\"text/javascript\">
var tlstartdate = \"" . ($row['birth'] + floor($deathage/2)) . "\";
var xmlfile = \"" . getURL("ajx_timelinexml",1) . "earliest=$earliest&latest=$latest\";
var yearpct = \"" . $ypct . "%\";
var monthpct = \"" . $mpct . "%\";
var yearmultiple = " . $ymult . ";
var yearpixels = " . $ypixels . ";
var monthpixels = " . $mpixels . ";
var Timeline_ajax_url = \"" . $cms['tngpath'] ."js/timeline_2.3.0/timeline_ajax/simile-ajax-api.js\";
var Timeline_urlPrefix = \"" . $cms['tngpath'] ."js/timeline_2.3.0/timeline_js/\";
var Timeline_parameters = 'bundle=true';
$flags['scripting'] .= "<script type=\"text/javascript\" src=\"" . $cms['tngpath'] ."js/timeline.js\"></script>\n";
$flags['scripting'] .= "<script type=\"text/javascript\" src=\"" . $cms['tngpath'] ."js/timeline_2.3.0/timeline_js/timeline-api.js\"></script>\n";
}
- Image Captcha
With the use of the modification Image Captcha add-on by Rick Bisbee the Captcha functionality can be used without error. Who the offered graphics do not like, it can complement with your own pictures.
- Google Maps
The map display, which is integrated in TNG, load the needed scripts fit to http or https. Only if additional or separate pages are installed with maps from Google, which recharge the API scripts separately, the API link to https must be changed if necessary.
- Insecure Images and Scripts
Insecure images and scripts will need to be sourced from a secure (https) source or removed from customisations and modifications. In many cases this will only involve changing the source address from http to https. Otherwise you will need to get the secure version of the source material, This may require contacting the author of the content.
- Mods
If a mod is found that has SSL issues, the Mod Developer would be the person to contact for resolution.
