Enable HTTPS for the forum

It would be great to enable https on this forum. I feel a bit uneasy about having a personal account with a password here while the login process is not encrypted.

1 Like

@sadhen is this possible? I have myself admin access, but I do not have any knowledge of this forum software. If somebody find out how to do it I can follow their instructions…

This looks like the official instructions:


Maybe you can run the setup again and it will install the site with https support (" Unless you are an expert sysadmin and know a reason not to do that, you should run discourse-setup rather than read any further.")

1 Like

Thanks. @sadhen ? what do you think? There are reasons not to have HTTPS support?

Perhaps it could make sense to combine this with a move to forum.texmacs.org
The texmacs.org domain already has a Letsencrypt certificate.

1 Like

BTW, currently texmacs.org does not redirect to the https site by default. But if you manually specify https it does work.

1 Like

Thanks for this piece of information. For users for the moment, one could set up a rule in the plugin “HTTPS Everywhere” (https://www.eff.org/https-everywhere).

I figured the reason TLS wasn’t being used was because the webmaster was in mainland China and wanted to stay on the good side of their law. That, or the original webmaster just wanted to get something up quickly without messing around with configuring port 443 stuff.

Several times I have decided against participating in discussions because I prefer my IP address not to be broadcast in public. I would buy a couple lunches for whoever wanted to enable HTTPS.

Not just IP addresses. Password, username etc… Nothing is private :frowning:

1 Like

No law in mainland China prevent me from enabling HTTPs.

It is just too complicated to enable HTTPs. And using HTTPs, I have to update the certificate regularly.

Maybe somebody would like to help in this matter and take care of this aspect? I think would be indeed important to be able to use HTTPS.

I thought that HTTPS only encrypts data, not metadata. For IP privacy you should use something like Tor.

I thought that HTTPS only encrypts data, not metadata. For IP privacy you should use something like Tor.

You’re right.

I just remembered a good reason to use HTTPS that hasn’t been mentioned in this thread yet: some TeXmacs forum user might unwisely be reusing their passwords from other more valuable attack targets such as their bank account. Strictly speaking, it’d be their own fault for losing their money/employment by reusing passwords but I wouldn’t recommend my less technical friends or family to make an account here.

Maybe somebody would like to help in this matter and take care of this aspect? I think would be indeed important to be able to use HTTPS.

If I were to start up a new discourse instance, the “30-minute basic install” guide linked to from this page is what I would follow.

As for migrating the existing forum database, then the procedure seems to be: use the admin dashboard to export a backup file, transferring the .tar.gz backup file to the new discourse instance, and importing the file.

The only step I am not familiar with is setting up the message transfer agent (e.g. postfix?) to handle email for account recovery and registration. The existing server seems to have already set this up so it’d probably be easier to use that; otherwise, for email to work properly, the Discourse setup instructions indicate a paid service is the most straightforward method.

@sadhen, if you’re the forum server admin, can you tell us how much bandwidth per month it typically consumes? How much storage is required? What mail transfer agent (e.g. postfix?) for things like password resets have you found useful? Sorry to pepper you with questions but these details seem relevant in case you want to pass the torch.

For fun, I’ll test out the setup procedure on a throwaway AWS instance to check if I’m missing any steps.

Update (2022-01-17)

I fired up a test instance of Discourse at https://forum.reboil.com following the tutorial: Feel free to try it out! I got the math plugin to work.

(I’ll delete it in a week because it’s completely open and I just wanted to see if the tutorial was valid)

Cost

Cost-wise, it’s using:

  • 5 USD/month instance of Amazon Lightsail (could be DigitalOcean or something else)
  • 5 USD/month DNS service I already use for my personal sites
  • 0.80 USD/(10k emails) transaction email service by Mailgun (one of several options).
  • 0 USD/month for TLS encryption because the default Discourse setup script uses Let’s Encrypt. (This is the HTTPS part).

Time

Time-wise, it took me about 12 hours to understand and set up (I’m no web developer).

Automatic Certificate Renewal

I dug deeper to find out how it updates its Let’s Encrypt certificate. I found via:

sudo su -
cd /var/discourse
./launcher enter app
crontab -l

which yields:

34 0 * * * "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" > /dev/null

This means that the Discourse docker container runs a daily script called acme.sh which checks to see if it needs to renew the cert each day. Looking at the logs acme.sh produces (at /shared/letsencrypt/acme.sh.log), it waits to renew the cert until 1 month before the cert expires). After setting up this example Discourse server, the details of the page that @pireddag linked make much more sense.

Caveat

I’m not a web developer so I may be missing something silly that makes it difficult to enable HTTPS for this forum. I’m basically trusting the Discourse developers to know how to put together a Docker container so a novice like myself can create a forum without knowing the details.

tl;dr

So, from what I can tell, if you want to enable HTTPS for this forum, one way to do it would be to fire up a new instance according to the tutorial, let the current initialization script run as recommended, backup the old forum database (with uploads), and then restore the backup to the new instance.

Another way (possibly much easier) would be to follow the procedure @pireddag mentioned which involves adding two lines to /var/discourse/containers/app.yml, making sure port 443 is open to TCP traffic, and then rebuilding the docker container (which takes a few minutes on my setup).

The password is also transferred in plain text? This should be changed. I thought that a hash code of the password is computed and then sent.

I thought that a hash code of the password is computed and then sent

Again, I said something incorrect. Discourse does hash passwords.

However, I don’t think even password hashes will protect an HTTP connection from a man-in-the-middle attack such as by your ISP.