Embedded Forums and https

classic Classic list List threaded Threaded
1 message Options
GregChapman GregChapman
Reply | Threaded
Open this post in threaded view
|

Embedded Forums and https

This post was updated on .

Introduction

The Administrator's Guide on this site explains much about the various applications available from Nabble (including forums, blogs and bulletin boards) all of which may be embedded in your own web site as way of providing an opportunity for users to discuss issues raised and provide feedback. This article concentrates on what needs to be done to overcome an issue that arises when you attempt to embed a Nabble application served over an encrypted connection.

Many will be aware that there is increasing demand for all traffic on the web to be secured with encryption during transmission from server to browser. If traffic between your server and your visitors is encrypted the address the address bar in their browser will show prefixed with "https://" typically with a "padlock" icon present.

If the web site in which you embed your Nabble application (forum, blog, etc) is served with https then, until you complete the steps described below, your forum will only appear as a link unless you disable the https facility (a.k.a SSL or Secure Sockets Layer).

  1. Prerequisites
    1. Register a Domain Name for Your Site
    2. Obtain a Digital Certificate
  2. Preparation
    1. Set Up a Subdomain
    2. Link the Subdomain to the Nabble Server
    3. Set Subdomain to be Used by Forum
    4. Post a Message on Nabble Support
  3. Implementation
    1. Update the Forum Embedding Code
    2. Set Requests to Redirect to https

More detail on each of these steps is given below:

The Prerequisites

1.1 Register a Domain Name for Your Site ^ >

Having your own domain name for your site is required if an embedded Nabble application is to work with https. (Search: Domain Name Registrar for companies that can provide one.) This is because the "certificate" you need for the transmission of data to be encrypted is only granted to the owner of a domain.

Those constructing their site on their own computer and then upload the files to a conventional web hosting service, will have already completed this step.

Those using online site-builder services will need to obtain one so their site appears to be their own and does not use a domain name that includes reference to Weebly, Wix, WordPress, Squarespace or whatever service they use. A domain name can often be obtained from the service as part of an upgrade package that includes the removal of advertising from the site.

1.2 Obtain a Digital Certificate < ^ >

The encryption/decryption process uses "public key" technology. The certificate provides the public key and is queried to allow decryption of any traffic between the user and your site's server.

Certificates do not have to cost you money. Free certificate issuing services do exist. However, while all certificates will allow encrypted transmission not all browsers will treat all certificate issuing organisations as providing appropriate security to show a "padlock" icon. Google's Chrome is notable for this.

If you use a site builder or hosting service that delivers your site via https by default then the service holds the necessary certificate for their domain. However, Nabble's servers will not be included on that certificate and this is why content transmitted from Nabble' servers will not appear in a page served via https from another domain. As with a domain name it may be possible to obtain a certificate through the site builder's service.

In some hosting packages (and site-builder services?) you can obtain a certificate directly through the control panel/dashboard. In others you will need to request the facility from your host's Help Service or by raising a ticket.

NOTE: You are welcome to improve this article by submitting details of how you obtained a certificate with your host or site builder service (with screen dumps).

Preparation

2.1 Set Up a Subdomain < ^ >

The subdomain you are asked to establish will be used by Nabble to make it appear that your forum is served from your domain not theirs. By keeping the forum within a subdomain it is isolated from the rest of your domain and should your forum or Nabble's servers be compromised in some way the connection can easily be (temporally) withdrawn from your site.

Typically, you'd name the subdomain "forum", so the subdomain you pass to Nabble would take the form "forum.mydomain.com", but it could be "blog", "news" or any other name that reflects the function of the app.

When using a hosting service you can expect to be able to specify where the files for the subdomain you create are to be stored, typically referred to as the "Document Root". This can be the default folder for your web site, typically "public_html" or "www".

If you maintain a number of sites at your hosting account it could also be in a subfolder of the default directory. Then the settings might need to look like the example below:

Subdomain Settings

If you use this approach then there is no need to move your files into the folder that might have been created when you created your subdomain and no need then to edit the navigation links within your site.

NOTE: You are welcome to improve this article by submitting further examples of setting up a Subdomain on other hosting and Site builder services.

2.2 Link the Subdomain to the Nabble Server < ^ >

Having created the subdomain you must link it to the Nabble server on which your forum runs, so the forum appears to run from your domain.

If you are not certain on which Nabble server your forum runs, you can find that information on the Forum's Change Domain Name screen. See the screen image in the Next Step. You can also see it in the tail of address shown as the "Permalink" of your forum or in in the address bar of your browser if the forum is not embedded.

Turn to the option where you can set a CNAME record for it. Below is a typical dialogue through which you'd enter the record. In this example the forum is to be embedded in the "GregTutor" website and forum runs on the same server as GregHelp:

Adding CNAME Record

NOTE: You are welcome to improve this article by submitting further examples how link a subdomain to your Nabble forum on other hosting and Site builder services.

2.3 Set Subdomain to be Used by Forum < ^ >

We now turn to your Nabble forum and at the top level visit:

Options > Application > Change domain name
This opens a screen similar to that below, where you need to select the "Your Own Domain" option. You will have already completed "Step 1" of the process so you now need to enter the name of your subdomain in the field at "Step 2".

NOTE: The steps described on this screen are worded on the basis that you wish to run a non-embedded Nabble forum under a domain that you own. For the current purpose it is better to read "custom domain" as "subdomain" and for our purpose the example at "Step 2" should take the form:

subdomain.mydomain.com
Change Domain Name Screen

If after saving the changes you made on this page you see a warning message like that shown here:

Warning Message

then you have not allowed sufficient time for your new subdomain to have propagated through the Internet. You will need to wait and return to the screen before the subdomain will be accepted. You may try to enter it several times, but eventually, you may find another warning:

Domain Already Set

This one means that you are ready to move to the next step. Only if the new setting is saved and no warning is produced can it be taken that you left enough time between setting up the subdomain and taking this step will you know that Nabble now has the information it needs to implement https on your forum.

You'll notice that there's no action to take at "Step 3". It just tells you to expect an email, but don't forget to click the "Save Changes" button before leaving the screen!

2.4 Post a Message on Nabble Support < ^ >

Having taken all the steps above you will have supplied all the information needed by Nabble. However, because new domain names take a variable time to propagate there is no automated system for turning on https at Nabble's end. You will need to visit:
http://support.nabble.com/Https-Protocol-Request-tp7600969.html
and post a reply to the most recent message at the end of that topic. It request the https protocol be implemented on your forum. To ease the process, it is good practice to specify both:

  • The full URL of your subdomain
  • The full URL of your Nabble app

as this is a way of indicating that you have taken the necessary steps at your site and at the forum. Because of possible delay in DNS propagation at Nabble's end don't expect an instant confirmation that https is available on your forum.

While you wait for a response from Nabble your forum will continue to work in unencrypted form. Should you attempt to use https then the forum will continue to be replaced by a link.

Implementation

3.1 Update the Forum Embedding Code < ^ >

Once Nabble confirms implementation of https you are now ready to put it into action on your site. You can choose to do that at any point. The forum will continue to work without SSL as it did before.

To implement it you first need to update the forum's embedding code in your web site. All that is required is that you change the old forum address to the new subdomain address that you created, not forgetting to change the "http://" prefix to "https://".

For example, if I had my GregHelp forum embedded in another site and had created a subdomain "forum.greghelp.org.uk" then my embedding code would change from:

<a id="nabblelink" href="http://greghelp.991552.n3.nabble.com/">GregHelp</a>
<script src="http://greghelp.991552.n3.nabble.com/embed/f2479465"></script>

to:

<a id="nabblelink" href="https://forum.greghelp.org.uk/">GregHelp</a>
<script src="https://forum.greghelp.org.uk/embed/f2479465"></script>
If you are concerned about editing the updated embedding code manually there is a copy and paste method that could be employed.

  • Step 1: Ensure your forum is set to "Allow users to view this forum without embedding"
    (You may return it to "Redirect them to:" as a final step, if desired.)
  • Step 2: Visit your forum using the subdomain address you have created for it.
    (Now that Nabble has implemented https for that address, the forum will be delivered via SSL and your browser address bar will show an "https://" prefix.)
  • Step 3: Navigate to the Embedding Options page.
    (The updated embedding code will be shown and this can be pasted into the forum page on your main site.)

3.2 Set Requests to Redirect to https < ^

Now when someone specifically requests that traffic on your site be encrypted by entering the appropriate address commencing with "https://" the full forum will display. Anyone doing this will also discover that once a secure connection is made with your site then all pages on that visit will be via a secure connection (confirmed by the "https://" remaining in the address bar). However, you will wish to ensure that all visitors operate through an encrypted connection.

Those running on platforms such as Weebly and Wix, should now turn on SSL again on their site. Then, regardless of the type of connection they request, an encrypted connection will be forced on them.

For those who use traditional hosting packages, the standard technique for Linux based servers (and most are!) is to add an ".htaccess" file to the root folder of their site that includes code that changes all http requests to be delivered over https. The code to achieve this is:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://mydomain.com/$1 [R=301,L]
(where you substitute "mydomain.com" for yours).

Forcing requests for your site to be delivered by https also overcomes the problem that arises should an external link to your site be created while the site was running on http.

NOTE: You are welcome to improve this article by submitting further examples how to force https on other hosting and Site builder services.

Greg