Page 1 of 4

Limited SSL Usage in phpBB3

Posted: Sat Mar 06, 2010 7:55 pm
by Sir Glen
I use SSL with my copy of phpBB3, however I would like to limit its usage to login pages and the ACP. Does anyone know of a way to modify the existing code to accomplish this? It's unnecessary, for my purposes, to secure post content, I mainly want to protect login information from man in the middle attacks.

Re: Limited SSL Usage in phpBB3

Posted: Sat Mar 06, 2010 9:31 pm
by ToonArmy
I usually use Apache to rewrite ucp.php?mode=login and adm/ to use SSL. Far easier than maintaining a code modification.

Re: Limited SSL Usage in phpBB3

Posted: Sat Mar 06, 2010 10:39 pm
by Sir Glen
Ok wait, so how would I do that? I appologize for my horrible ignorance but, I'm horribly ignorant. I run this site for friends for free because they can't afford to pay a real developer and I figure everything out as I go along. How would I do what you're talking about? I'm assuming that I would first disable SSL for the boards in general, then somehow force SSL for the files listed? If that's possible I would LOVE to know the details. I could even see my way clear to paying for the information if it would take a lot of work to write it up.

Re: Limited SSL Usage in phpBB3

Posted: Sat Mar 06, 2010 11:49 pm
by Lumpy Burgertushie
Sir Glen wrote:Ok wait, so how would I do that? I appologize for my horrible ignorance but, I'm horribly ignorant. I run this site for friends for free because they can't afford to pay a real developer and I figure everything out as I go along. How would I do what you're talking about? I'm assuming that I would first disable SSL for the boards in general, then somehow force SSL for the files listed? If that's possible I would LOVE to know the details. I could even see my way clear to paying for the information if it would take a lot of work to write it up.
is there some specific reason why you think you need to secure the login etc.?

there are many, many thousands of phpbb boards out there that do not find a need for this.



I would suggest you just forget it and set it up normally.

robert

Re: Limited SSL Usage in phpBB3

Posted: Sun Mar 07, 2010 3:54 am
by Sir Glen
Yes, there is. My forum is part of a group of communities involved in an EXTREMELY competitive long-term politics simulator called CyberNations. By long-term I mean the current round has been going for over four years. There are frequent hacking attempts on forums in this community because people try to gain access to private discussions related to internal policy for a given nation or alliance of nations or bloc of alliances etc. Long story short hacking is a constant and very real concern for us.

I already have the entire site under an SSL certificate but I would like, as I said, to limit that to login and ACP as those are the real concerns. It's wasteful and troublesome to do more than that because of offsite images and bandwidth concerns due to an obvious lack of image caching.

So advice is much appreciated. :)

Re: Limited SSL Usage in phpBB3

Posted: Mon Mar 08, 2010 8:14 pm
by Sir Glen
Nobody has any more thoughts on this?

Re: Limited SSL Usage in phpBB3

Posted: Mon Mar 08, 2010 10:19 pm
by Oleg
Try something like this with mod_rewrite.

Code: Select all

RewriteEngine On 

RewriteCond %{SERVER_PORT} !443
RewriteRule ^(/(acp|ucp\.php).*)$ https://www.example.com/$1 [R,L]

RewriteCond %{SERVER_PORT} 443
RewriteRule ^(/(?!(acp|ucp\.php)).*)$ http://www.example.com/$1 [R,L]
I have a feeling this won't work since phpbb does not use a dedicated login page.

Therefore, In addition to above directives, in includes/functions.php find lines containing S_LOGIN_ACTION and U_ACP and prepend your host name with ssl to their values. For example:

Code: Select all

'S_LOGIN_ACTION'		=> build_url(array('f')),
becomes

Code: Select all

'S_LOGIN_ACTION'		=> 'https://www.example.com/' . build_url(array('f')),
and

Code: Select all

'S_LOGIN_ACTION'		=> ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id)),
becomes

Code: Select all

'S_LOGIN_ACTION'		=> 'https://www.example.com/' . ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id)),
and

Code: Select all

'U_ACP' => ($auth->acl_get('a_') && !empty($user->data['is_registered'])) ? append_sid("{$phpbb_root_path}adm/index.$phpEx", false, true, $user->session_id) : '')
becomes

Code: Select all

'U_ACP' => ($auth->acl_get('a_') && !empty($user->data['is_registered'])) ? 'https://www.example.com/' . append_sid("{$phpbb_root_path}adm/index.$phpEx", false, true, $user->session_id) : '')

Re: Limited SSL Usage in phpBB3

Posted: Tue Mar 09, 2010 1:16 am
by Sir Glen
And if I do that I set the board in general to use the http protocol instead of https?

Re: Limited SSL Usage in phpBB3

Posted: Tue Mar 09, 2010 1:27 am
by Oleg
Yes, that sounds right.

Re: Limited SSL Usage in phpBB3

Posted: Tue Mar 09, 2010 7:21 am
by ToonArmy
nn- wrote:I have a feeling this won't work since phpbb does not use a dedicated login page.
Hmm that's quite a good point, how annoying. I guess it can be hooked without all those modifications though, I'll give that a go on the weekend.

Re: Limited SSL Usage in phpBB3

Posted: Wed Mar 10, 2010 3:04 pm
by Sir Glen
Hey all, this has been resolved. I did it mostly with changes to .htaccess and one minor code snippet. Thanks again, I really appreciate it. :)

Re: Limited SSL Usage in phpBB3

Posted: Wed Mar 10, 2010 5:35 pm
by Stoepsel
Care to share what you did? It might someone else in the future.

Re: Limited SSL Usage in phpBB3

Posted: Sat Mar 13, 2010 4:25 pm
by ToonArmy
phpBB hook, no .htaccess rules required, no code modifications needed. http://github.com/cs278/phpbb3/blob/hoo ... ontrol.php

Re: Limited SSL Usage in phpBB3

Posted: Sat Mar 13, 2010 5:58 pm
by mrberry
i have been looking for something like this for awhile and i tried the hooks file method and it would just make my forum load a white blank page. once i removed the file the forums worked again.

btw the other hooks file on that site work well. thanks.

Re: Limited SSL Usage in phpBB3

Posted: Sat Mar 13, 2010 6:07 pm
by ToonArmy
mrberry wrote:i have been looking for something like this for awhile and i tried the hooks file method and it would just make my forum load a white blank page. once i removed the file the forums worked again.

btw the other hooks file on that site work well. thanks.
What PHP version are you using?