Limited SSL Usage in phpBB3

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Sir Glen
Registered User
Posts: 57
Joined: Fri Jun 27, 2008 7:43 pm

Limited SSL Usage in phpBB3

Post by Sir Glen » Sat Mar 06, 2010 7:55 pm

I use SSL with my copy of phpBB3, however I would like to limit its usage to login pages and the ACP. Does anyone know of a way to modify the existing code to accomplish this? It's unnecessary, for my purposes, to secure post content, I mainly want to protect login information from man in the middle attacks.

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Limited SSL Usage in phpBB3

Post by ToonArmy » Sat Mar 06, 2010 9:31 pm

I usually use Apache to rewrite ucp.php?mode=login and adm/ to use SSL. Far easier than maintaining a code modification.
Chris SmithGitHub

Sir Glen
Registered User
Posts: 57
Joined: Fri Jun 27, 2008 7:43 pm

Re: Limited SSL Usage in phpBB3

Post by Sir Glen » Sat Mar 06, 2010 10:39 pm

Ok wait, so how would I do that? I appologize for my horrible ignorance but, I'm horribly ignorant. I run this site for friends for free because they can't afford to pay a real developer and I figure everything out as I go along. How would I do what you're talking about? I'm assuming that I would first disable SSL for the boards in general, then somehow force SSL for the files listed? If that's possible I would LOVE to know the details. I could even see my way clear to paying for the information if it would take a lot of work to write it up.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66921
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Limited SSL Usage in phpBB3

Post by Lumpy Burgertushie » Sat Mar 06, 2010 11:49 pm

Sir Glen wrote:Ok wait, so how would I do that? I appologize for my horrible ignorance but, I'm horribly ignorant. I run this site for friends for free because they can't afford to pay a real developer and I figure everything out as I go along. How would I do what you're talking about? I'm assuming that I would first disable SSL for the boards in general, then somehow force SSL for the files listed? If that's possible I would LOVE to know the details. I could even see my way clear to paying for the information if it would take a lot of work to write it up.
is there some specific reason why you think you need to secure the login etc.?

there are many, many thousands of phpbb boards out there that do not find a need for this.



I would suggest you just forget it and set it up normally.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Sir Glen
Registered User
Posts: 57
Joined: Fri Jun 27, 2008 7:43 pm

Re: Limited SSL Usage in phpBB3

Post by Sir Glen » Sun Mar 07, 2010 3:54 am

Yes, there is. My forum is part of a group of communities involved in an EXTREMELY competitive long-term politics simulator called CyberNations. By long-term I mean the current round has been going for over four years. There are frequent hacking attempts on forums in this community because people try to gain access to private discussions related to internal policy for a given nation or alliance of nations or bloc of alliances etc. Long story short hacking is a constant and very real concern for us.

I already have the entire site under an SSL certificate but I would like, as I said, to limit that to login and ACP as those are the real concerns. It's wasteful and troublesome to do more than that because of offsite images and bandwidth concerns due to an obvious lack of image caching.

So advice is much appreciated. :)

Sir Glen
Registered User
Posts: 57
Joined: Fri Jun 27, 2008 7:43 pm

Re: Limited SSL Usage in phpBB3

Post by Sir Glen » Mon Mar 08, 2010 8:14 pm

Nobody has any more thoughts on this?

Oleg
Former Team Member
Posts: 1221
Joined: Sat Jan 30, 2010 4:42 pm
Location: NYC
Contact:

Re: Limited SSL Usage in phpBB3

Post by Oleg » Mon Mar 08, 2010 10:19 pm

Try something like this with mod_rewrite.

Code: Select all

RewriteEngine On 

RewriteCond %{SERVER_PORT} !443
RewriteRule ^(/(acp|ucp\.php).*)$ https://www.example.com/$1 [R,L]

RewriteCond %{SERVER_PORT} 443
RewriteRule ^(/(?!(acp|ucp\.php)).*)$ http://www.example.com/$1 [R,L]
I have a feeling this won't work since phpbb does not use a dedicated login page.

Therefore, In addition to above directives, in includes/functions.php find lines containing S_LOGIN_ACTION and U_ACP and prepend your host name with ssl to their values. For example:

Code: Select all

'S_LOGIN_ACTION'		=> build_url(array('f')),
becomes

Code: Select all

'S_LOGIN_ACTION'		=> 'https://www.example.com/' . build_url(array('f')),
and

Code: Select all

'S_LOGIN_ACTION'		=> ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id)),
becomes

Code: Select all

'S_LOGIN_ACTION'		=> 'https://www.example.com/' . ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id)),
and

Code: Select all

'U_ACP' => ($auth->acl_get('a_') && !empty($user->data['is_registered'])) ? append_sid("{$phpbb_root_path}adm/index.$phpEx", false, true, $user->session_id) : '')
becomes

Code: Select all

'U_ACP' => ($auth->acl_get('a_') && !empty($user->data['is_registered'])) ? 'https://www.example.com/' . append_sid("{$phpbb_root_path}adm/index.$phpEx", false, true, $user->session_id) : '')
Participate in phpBB development: Get involved | Issue tracker | Report a bug | Development board | [url=irc://chat.freenode.net/phpbb-dev]Development IRC chat[/url]
My stuff: mindlinkgame.com

Sir Glen
Registered User
Posts: 57
Joined: Fri Jun 27, 2008 7:43 pm

Re: Limited SSL Usage in phpBB3

Post by Sir Glen » Tue Mar 09, 2010 1:16 am

And if I do that I set the board in general to use the http protocol instead of https?

Oleg
Former Team Member
Posts: 1221
Joined: Sat Jan 30, 2010 4:42 pm
Location: NYC
Contact:

Re: Limited SSL Usage in phpBB3

Post by Oleg » Tue Mar 09, 2010 1:27 am

Yes, that sounds right.
Participate in phpBB development: Get involved | Issue tracker | Report a bug | Development board | [url=irc://chat.freenode.net/phpbb-dev]Development IRC chat[/url]
My stuff: mindlinkgame.com

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Limited SSL Usage in phpBB3

Post by ToonArmy » Tue Mar 09, 2010 7:21 am

nn- wrote:I have a feeling this won't work since phpbb does not use a dedicated login page.
Hmm that's quite a good point, how annoying. I guess it can be hooked without all those modifications though, I'll give that a go on the weekend.
Chris SmithGitHub

Sir Glen
Registered User
Posts: 57
Joined: Fri Jun 27, 2008 7:43 pm

Re: Limited SSL Usage in phpBB3

Post by Sir Glen » Wed Mar 10, 2010 3:04 pm

Hey all, this has been resolved. I did it mostly with changes to .htaccess and one minor code snippet. Thanks again, I really appreciate it. :)

Stoepsel
Registered User
Posts: 395
Joined: Sun Oct 23, 2005 11:23 am

Re: Limited SSL Usage in phpBB3

Post by Stoepsel » Wed Mar 10, 2010 5:35 pm

Care to share what you did? It might someone else in the future.

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Limited SSL Usage in phpBB3

Post by ToonArmy » Sat Mar 13, 2010 4:25 pm

phpBB hook, no .htaccess rules required, no code modifications needed. http://github.com/cs278/phpbb3/blob/hoo ... ontrol.php
Chris SmithGitHub

mrberry
Registered User
Posts: 10
Joined: Wed Jan 24, 2007 2:40 pm
Contact:

Re: Limited SSL Usage in phpBB3

Post by mrberry » Sat Mar 13, 2010 5:58 pm

i have been looking for something like this for awhile and i tried the hooks file method and it would just make my forum load a white blank page. once i removed the file the forums worked again.

btw the other hooks file on that site work well. thanks.

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Limited SSL Usage in phpBB3

Post by ToonArmy » Sat Mar 13, 2010 6:07 pm

mrberry wrote:i have been looking for something like this for awhile and i tried the hooks file method and it would just make my forum load a white blank page. once i removed the file the forums worked again.

btw the other hooks file on that site work well. thanks.
What PHP version are you using?
Chris SmithGitHub

Locked

Return to “[3.0.x] Support Forum”