We were coming up on the time when our self-signed SSL certificate was about to expire. And, we also needed an overhaul of our server. The kernal was getting outdated. So, a few hours ago I finished generating a new server configuration at Digital Ocean. And, we are running on that now. Following the server generation, I used Let's Encrypt to get us our first publicly authorized certificate. (I'd been watching the Let's Encrypt initiative evolve and have been wanting to use it. But, it wasn't ready for last year's certificate.) In addition, some header changes have also been made to further improve security. SSL Labs results now: And, from securityheaders.io, our HTTPS score is up from a B to A (I'm still researching that last item): Let me know if you see anything not working right. The server and package changes were pretty significant. There's always a chance something got missed.
Let's Encrypt only does 90-day certificates for these reasons: https://letsencrypt.org/2015/11/09/why-90-days.html But, they have an automated renewal interface built in to the client.
Nice to see, but i hope you will keep NGinx up to date JQuery is totally outdated, maybe you can remove it entirely. Whats the hardware of the new system? And the OS?
We always keep nginx (and PHP for that matter) updated. We were using the legacy branch on the last configuration, but, it was being updated whenever patches came out. It was being refreshed very frequently though because of all the OpenSSL updates that kept coming out. They needed to be compiled in to nginx. We're on the latest version in the 1.9 branch now. Not if we want to continue using XenForo, we can't. Their current product line is built with jQuery. It's a Digital Ocean droplet. It's all virtual, so, you don't really get to see the hardware directly. But, it's fairly good technology at a reasonable price. The SSD seems to make the most difference over our previous dedicated server configuration from a while back. We're running CentOS 7.2 with MariaDB 10.
CentOS is a good choice but more RAM eating than Debian I may get one or more virtual servers over at Microsoft Azure, but well i still cant decide for the OS to use. (There are just too many good ones) I personally would use IPB preferrebly. If you cant remove JQuery i would at least update it: https://jquery.com/ As for PHP 7 it makes a massive difference in speed Are you already running it? Also please link all http to https
The only jQuery we are using here comes bundled with XenForo. It expects the version they ship with the forum software. That's a little too bleeding-edge for me. I'm sticking with the 5.6 branch for now. Maybe in 6 months or so, I'll make the move. I'm not going to force https-only just yet. I have alterations in XenForo though that presents to each visitor all local forum links in the same mode they are viewing the page in. If you browse with https, all member posted links to other content on this domain are presented to you as https, even if the member hardcoded http in their link. It keeps people from unexpected switching from one type of access to the other.
WRT that, I think people who want deterministic behavior ought to be forcing their preference on the client side. There are both http and https links to Wilders floating around the web. It is possible that someone could enter Wilders via https, head elsewhere, then come back in via http. Or vice versa. Accidentally bookmark a URL with the wrong scheme. Forget to adjust the scheme in search results. Etc. Thank you for your efforts LWM. Oh, and for helping me shake off my drowsiness. Earlier, I came here then saw the "New Certificate" title and perked right up... wondering, for a moment, why I hadn't seen a new self-signed certificate error!
1: If thats the case the guys on XenForo dev team should take a look at this. 2. XenForo runs with pretty much 0 issues on PHP 7 as far as you can see on their forums: https://xenforo.com/community/threads/xenforo-on-php7.87806/ (Please note that the first posts are from the days when PHP 7 was in Beta.) 3. Dont forget to force https at some point.
@ Krusty13 I must be going blind ! Thanx @ LowWaterMark As above, sorry about that. All the best with Everything
Great job! Btw, if you only want HTTPS, HTTPS Everywhere already has a rule for Wilderssecurity, just enable it and you're set.(still disabled by default, probably because of the old self signed cert.)
Also, if anyone is using NoScript, add wilderssecurity.com to Options > Advanced Tab > HTTPS Tab, under Force the following sites to use secure (HTTPS) connections. Just FYI.
Working nicely on this end. I didn't log in until I read this thread because the cert fingerprint changed and my software flagged it immediately. I do like being able to come here and read before entering private log in credentials when that happens. Great work!!
Mike, Thank you as always! Seeing your info, the IP adress has been changed and those of us who use HTTP here and who have the IP adress in their HOSTS file, should change it accordingly: Code: 104.236.97.180 wilderssecurity.com 104.236.97.180 www.wilderssecurity.com