Page 1 of 1

SSL for phpBB

Posted: Mon Nov 21, 2016 8:19 am
by Riksa
Hello,

I have been awarded SSL - certificate criterion, but how it works phpBB forum. What changes should I do and where. Is there, for example, phpBB settings?

Thank you!

Re: SSL for phpBB

Posted: Mon Nov 21, 2016 11:39 am
by JimA
You'd need to enable Cookie Secure in your Cookie Settings and change the cookie name there as well (just add one random letter at the end) to make sure all users get a new cookie.

Also, you might need to change the server protocol from "http://" to "https://" in Server Settings.

Re: SSL for phpBB

Posted: Mon Nov 21, 2016 11:55 am
by david63
You may also need to have a redirect in your .htaccess file and/or server control panel.

Re: SSL for phpBB

Posted: Mon Nov 21, 2016 12:09 pm
by Riksa
Thank you for advice, what code is written to the .htaccess?
Cookies are trimmed phpbb settings and changed https: // name

Re: SSL for phpBB

Posted: Mon Nov 21, 2016 5:51 pm
by v12mike
The above advice, although correct, assumes that your web server has already been configured to use your certificate (which may or may not be the case). What happens if you try to access your forum with https:// at the beginning of the url?

You will probably also find that pages with external images show as insecure, and images are not displayed on some browsers unless you also add a secure image extension (see: viewtopic.php?f=456&t=2392726 )

Re: SSL for phpBB

Posted: Wed Nov 23, 2016 1:29 am
by John connor
You need to first upload your SSL certificate to your server. If you have access to cPanel it makes it easier. Once you do this, change your forum settings as indicated. Please ask your host on how to do this.

Also note, that many hosters that offer a cPanel include the free Letsencrypt service with the push of a button your site is encrypted.

There's lot's more, like HSTS and using CloudFlare to rewrite non-SSL links. But I won't go into detail.

Re: SSL for phpBB

Posted: Wed Nov 23, 2016 8:48 am
by kaspir
John connor wrote:You need to first upload your SSL certificate to your server. If you have access to cPanel it makes it easier. Once you do this, change your forum settings as indicated. Please ask your host on how to do this.

Also note, that many hosters that offer a cPanel include the free Letsencrypt service with the push of a button your site is encrypted.

There's lot's more, like HSTS and using CloudFlare to rewrite non-SSL links. But I won't go into detail.
^^THIS first.
JimA wrote:You'd need to enable Cookie Secure in your Cookie Settings and change the cookie name there as well (just add one random letter at the end) to make sure all users get a new cookie.

Also, you might need to change the server protocol from "http://" to "https://" in Server Settings.
Then this.... ^^^

Next, fix any hardcoded hyperlinks or images in your custom templates that have a http instead of https.

Code: Select all

<img src="//example.com/forums/styles/images/pic.gif"/>
Basically, http images will break your lock. Edit all images to https or leave it out like shown above!


After all that, your going to have to make another decision to make about user posted images, hosted from non-encrypted sites (http). All of your images, MUST be loaded from https OR your SSL lock will be shown as broken in the user browser. It then becomes useless to have those posts secure.. UNLESS!

The post image fix; Check out this awesome ext: https://www.phpbb.com/customise/db/exte ... s_as_link/

.htaccess code (just copy&paste change yoursite) I think you were asking about

Code: Select all

# Forces HTTPS when http is requested.
RewriteCond %{HTTPS} !=on
RewriteRule .* https://YOURSITE.com/%{REQUEST_URI} [R,L]
From there, it's all about encouraging users to either upload images, so you can host, OR host from a https site.. otherwise if the user posts an image hosted elsewhere on a http; it will be parsed into a hyperlink which keeps your pages SSL lock in tact.

Here is a great tool that I'm sure you'll find useful: https://www.whynopadlock.com/

Good luck!


Edit//
v12mike wrote:The above advice, although correct, assumes that your web server has already been configured to use your certificate (which may or may not be the case). What happens if you try to access your forum with https:// at the beginning of the url?

You will probably also find that pages with external images show as insecure, and images are not displayed on some browsers unless you also add a secure image extension (see: viewtopic.php?f=456&t=2392726 )
Nice v12mike, haven't see that ext yet! I might try it out!

Re: SSL for phpBB

Posted: Thu Nov 24, 2016 8:29 am
by kaspir
Just resolved the hosting remote avatars option, where under a SSL, it still allows the user to use http, but will break the lock. Well, NO MORE! Still allow the remote hosted avatars, BUT only from https sites.

The fix, go to where I already posted on friends site: https://hifikabin.me.uk/viewtopic.php?f ... 952#p41952

I strongly suggest being comfortable with editing core files, before doing so. Otherwise, you may want to leave the remote avatar option off until a possible ext is developed.
v12mike wrote:
kaspir wrote:you may want to leave the remote avatar option off until a possible ext is developed.
Camo SSL Image Proxy (v1.1.0) already handles this, either by url rewriting directly to the hosting server (where the hosting server supports https) or by rewriting via a proxy server. No editing of core files required.
Very nice!

Re: SSL for phpBB

Posted: Thu Nov 24, 2016 9:13 am
by v12mike
kaspir wrote:you may want to leave the remote avatar option off until a possible ext is developed.
Camo SSL Image Proxy (v1.1.0) already handles this, either by url rewriting directly to the hosting server (where the hosting server supports https) or by rewriting via a proxy server. No editing of core files required.

Re: SSL for phpBB

Posted: Sun Dec 11, 2016 5:03 am
by v12mike
v12mike wrote:
kaspir wrote:you may want to leave the remote avatar option off until a possible ext is developed.
Camo SSL Image Proxy (v1.1.0) already handles this, either by url rewriting directly to the hosting server (where the hosting server supports https) or by rewriting via a proxy server. No editing of core files required.
I am sorry to report that the camosslimageproxy extension cannot be discussed on the extension forum any more because DavidIQ has deemed that official phpbb extensions may not be discussed there.

Re: SSL for phpBB

Posted: Tue Feb 07, 2017 9:47 pm
by noth
I think it was ABD which is a huge setback for SSL enthusiasts, I am now starting down that path, I have purchased 2 SSL certificates for my smallest 2 sites - in common with many other Admins I am sure, I have phpBB forum as 50% of the site. the other 50% is static HTML pages, text and images and links

so Google have published their own "QUICK GUIDE" To Secure your site with HTTPS
Mixed security elements >> Only embed HTTPS content on HTTPS pages.
HTTPS content ? what is that? because if you're going to tell me pages with Log Ins/ CARTS/ Payments sensitive info, well look at that https page from Google itself! (the QUICK GUIDE above linked) No Log in, no payment screen, no sensitive information or INPUT at all and heeey it's HTTPS
Different content on HTTP and HTTPS >> Make sure the content on your HTTP site and your HTTPS is the same.
your HTTP site and your HTTPS site? What are they talking about? They're saying have 2 versions?