New Server and New Certificate Installed

Discussion in 'General Topics' started by LowWaterMark, Mar 19, 2016.

  1. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    We were coming up on the time when our self-signed SSL certificate was about to expire. And, we also needed an overhaul of our server. The kernal was getting outdated. So, a few hours ago I finished generating a new server configuration at Digital Ocean. And, we are running on that now.

    Following the server generation, I used Let's Encrypt to get us our first publicly authorized certificate. (I'd been watching the Let's Encrypt initiative evolve and have been wanting to use it. But, it wasn't ready for last year's certificate.)

    In addition, some header changes have also been made to further improve security.

    SSL Labs results now:

    upload_2016-3-19_4-56-23.png


    And, from securityheaders.io, our HTTPS score is up from a B to A (I'm still researching that last item):

    upload_2016-3-19_5-6-24.png
    upload_2016-3-19_5-7-39.png

    Let me know if you see anything not working right. The server and package changes were pretty significant. There's always a chance something got missed.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,878
    Location:
    Australia
    Nice! Bookmark changed on all browsers, no complaints. :cool:
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Cert out of date already :D

    Cert Oops.png
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,878
    Location:
    Australia
    That's 17th of June 2016.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
  6. Secondmineboy

    Secondmineboy Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    84
    Location:
    Germany
    Nice to see, but i hope you will keep NGinx up to date :)

    JQuery is totally outdated, maybe you can remove it entirely.

    Whats the hardware of the new system? And the OS?
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    We always keep nginx (and PHP for that matter) updated. We were using the legacy branch on the last configuration, but, it was being updated whenever patches came out. It was being refreshed very frequently though because of all the OpenSSL updates that kept coming out. They needed to be compiled in to nginx. We're on the latest version in the 1.9 branch now.

    Not if we want to continue using XenForo, we can't. Their current product line is built with jQuery.

    It's a Digital Ocean droplet. It's all virtual, so, you don't really get to see the hardware directly. But, it's fairly good technology at a reasonable price. The SSD seems to make the most difference over our previous dedicated server configuration from a while back. We're running CentOS 7.2 with MariaDB 10.
     
  8. Secondmineboy

    Secondmineboy Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    84
    Location:
    Germany
    CentOS is a good choice but more RAM eating than Debian :)

    I may get one or more virtual servers over at Microsoft Azure, but well i still cant decide for the OS to use. (There are just too many good ones)

    I personally would use IPB preferrebly.

    If you cant remove JQuery i would at least update it: https://jquery.com/

    As for PHP 7 it makes a massive difference in speed :) Are you already running it?

    Also please link all http to https :)
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    The only jQuery we are using here comes bundled with XenForo. It expects the version they ship with the forum software.

    That's a little too bleeding-edge for me. I'm sticking with the 5.6 branch for now. Maybe in 6 months or so, I'll make the move.

    I'm not going to force https-only just yet. I have alterations in XenForo though that presents to each visitor all local forum links in the same mode they are viewing the page in. If you browse with https, all member posted links to other content on this domain are presented to you as https, even if the member hardcoded http in their link. It keeps people from unexpected switching from one type of access to the other.
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Many Kudos Mike!

    Daniel :thumb:
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    WRT that, I think people who want deterministic behavior ought to be forcing their preference on the client side. There are both http and https links to Wilders floating around the web. It is possible that someone could enter Wilders via https, head elsewhere, then come back in via http. Or vice versa. Accidentally bookmark a URL with the wrong scheme. Forget to adjust the scheme in search results. Etc.

    Thank you for your efforts LWM.

    Oh, and for helping me shake off my drowsiness. Earlier, I came here then saw the "New Certificate" title and perked right up... wondering, for a moment, why I hadn't seen a new self-signed certificate error!
     
  12. Secondmineboy

    Secondmineboy Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    84
    Location:
    Germany
    1: If thats the case the guys on XenForo dev team should take a look at this.
    2. XenForo runs with pretty much 0 issues on PHP 7 as far as you can see on their forums: https://xenforo.com/community/threads/xenforo-on-php7.87806/ (Please note that the first posts are from the days when PHP 7 was in Beta.)

    3. Dont forget to force https at some point.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Krusty13

    I must be going blind ! Thanx

    @ LowWaterMark

    As above, sorry about that. All the best with Everything
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Great job!
    Btw, if you only want HTTPS, HTTPS Everywhere already has a rule for Wilderssecurity, just enable it and you're set.(still disabled by default, probably because of the old self signed cert.)
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    Also, if anyone is using NoScript, add wilderssecurity.com to Options > Advanced Tab > HTTPS Tab, under Force the following sites to use secure (HTTPS) connections. Just FYI.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Good stuff.

    It will be on by default in the next version of HTTPS-E.
     
  17. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Working nicely on this end. I didn't log in until I read this thread because the cert fingerprint changed and my software flagged it immediately. I do like being able to come here and read before entering private log in credentials when that happens.

    Great work!!
     
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Mike,

    Thank you as always!

    Seeing your info, the IP adress has been changed and those of us who use HTTP here and who have the IP adress in their HOSTS file, should change it accordingly:

    Code:
    104.236.97.180 wilderssecurity.com
    104.236.97.180 www.wilderssecurity.com
    
     
Loading...