Forums not redirecting to HTTPS

Whether you are a current user, former user, a Zimbra employee, or anyone with experience using any of our products, we welcome your feedback. Please include a specific product name and version when relevant.
halfgaar
Advanced member
Advanced member
Posts: 88
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Release 8.8.15.GA.3869.UBUNTU16.64

Forums not redirecting to HTTPS

Postby halfgaar » Wed Mar 31, 2021 8:55 am

I don't quite know where to post this, but the forums are not redirecting to HTTPS:

ZimbraForumScreenshot.png
ZimbraForumScreenshot.png (35.99 KiB) Viewed 3539 times


Code: Select all

$ curl --head http://forums.zimbra.org
HTTP/1.1 200 OK
Cache-Control: private, no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Apr 2021 11:39:42 GMT
Expires: Wed, 07 Apr 2021 11:39:43 GMT
Server: Apache
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Connection: keep-alive
Last edited by halfgaar on Wed Apr 07, 2021 11:40 am, edited 1 time in total.


User avatar
rleiker
Advanced member
Advanced member
Posts: 110
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: Forums not redirecting to HTTPS

Postby rleiker » Tue Apr 06, 2021 10:00 pm

You are correct. Additionally, if someone visits http://forums.zimbra.com, the forum will display in HTTP mode, but if changing the URL to https://forums.zimbra.com, a visitor's browser will display a mismatched SSL certificate warning, since the wildcard certificate presented is for *.zimbra.org.

I have opened a support case with Zimbra to try and bring some attention to these two misconfigurations. It is a trivial configuration correction that is needed in the web server hosting the Forum to fix both the issue you pointed out, in addition to the needed forums.zimbra.com to forums.zimbra.org redirect. Without the redirect from HTTP to HTTPS mode, it can easily expose user's Forum logins to eavesdroppers.
halfgaar
Advanced member
Advanced member
Posts: 88
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Release 8.8.15.GA.3869.UBUNTU16.64

Re: Forums not redirecting to HTTPS

Postby halfgaar » Wed Apr 07, 2021 11:42 am

I see the certificate is from DigiCert. Using certbot to request one at Let's Encrypt is easy and you can easily add many domains. Of course, depending on how it's hosted. It's easy when hosting oneself.

Return to “General Zimbra Feedback”

Who is online

Users browsing this forum: No registered users and 5 guests