Security

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
John connor
Registered User
Posts: 2073
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Security

Post by John connor » Wed Jan 23, 2019 8:40 am

Then I'll refrain from ever mentioning it again.

User avatar
GoBieN
Registered User
Posts: 538
Joined: Fri Mar 05, 2004 5:22 pm
Location: Belgium
Contact:

Re: Security

Post by GoBieN » Wed Jan 30, 2019 7:23 pm

Even if you have your forum setup for HTTPS you can still get the HTTPS mixed content warning on the lock sign.
But every browser I know will show the page fine. (IE11 might show the button to display insecure content).

The problem is when people use an [IMG]http://show.me/picture[/IMG] bbcode that picture will load via HTTP insecure connection.
This problem should only occur on the viewtopic.php pages. Not on the index. If it happens on the index, it's because you load an image over HTTP in CSS or customecode somewhere.

For the mixed content, there is a technical solution that I use, and I think phpBB uses it as well. Its called CAMO.
You can only run it on a server you have control over, not shared hosting.
It uses an extension that changes all HTTP links in BBCode to go through an upstream proxy on the server that will fetch the image using HTTP and then deliver the content using HTTPS to the visitor.

In the future when every PICTURE hosting website is using HTTP this will be redundant.

Scottish2
Registered User
Posts: 124
Joined: Sun Mar 04, 2007 3:00 pm

Re: Security

Post by Scottish2 » Wed Jan 30, 2019 10:29 pm

GoBieN wrote:
Wed Jan 30, 2019 7:23 pm
Even if you have your forum setup for HTTPS you can still get the HTTPS mixed content warning on the lock sign.
But every browser I know will show the page fine. (IE11 might show the button to display insecure content).

The problem is when people use an Image bbcode that picture will load via HTTP insecure connection.
This problem should only occur on the viewtopic.php pages. Not on the index. If it happens on the index, it's because you load an image over HTTP in CSS or customecode somewhere.

For the mixed content, there is a technical solution that I use, and I think phpBB uses it as well. Its called CAMO.
You can only run it on a server you have control over, not shared hosting.
It uses an extension that changes all HTTP links in BBCode to go through an upstream proxy on the server that will fetch the image using HTTP and then deliver the content using HTTPS to the visitor.

In the future when every PICTURE hosting website is using HTTP this will be redundant.
Tried CAMO but somethings not right with it in 3.2.5. This is the link here in the forum I found it

viewtopic.php?t=2392726

I first uploaded the entire folder and all subfolders meaning camosslimageproxy-master/camosslimageproxy-master/all ext folders and files but this was no good. So then I tried just one of the camosslimageproxy-master folders and all subfolders and files but again no good.
The “lmdi/multilinks” extension is not valid.
The requested file could not be found: ./../ext/lmdi/multilinks/composer.json
So I then took a look at the error I was getting and it seemed to be trying to find a specific path lmdi/multilinks so I deleted the folder and files and then created the two new directories.This did work in the sense it removed the above error and replaced it with a enable type listing. So I clicked enable but I got the error below
Information

The selected extension has an invalid directory structure and cannot be enabled.
I did also noticed the post below the opening post by v12mike and it seems he had some issues but found a solution to them unsure if this would work or not as I had no success putting the folders and files in there.

I also then tried to remove the directories via Filezilla but for some reason it now keeps displaying the first error above and refuses to remove the listing from the disabled list even though the folders and file are totally removed now.

Thoughts? Is there a stable version for 3.2.5 as seems the extension has not been updated in awhile being the open of the post says

WARNING: Extensions in this forum are not currently being supported nor updated by the original Extension author. Proceed at your own risk.

Scottish2
Registered User
Posts: 124
Joined: Sun Mar 04, 2007 3:00 pm

Re: Security

Post by Scottish2 » Wed Jan 30, 2019 10:33 pm

Just a follow up on this maybe I missed a step. The below are the quick install instructions. Did I have to set up the item at the bottom before I can activate this ext??
## Quick Install
You can install this on the latest release of phpBB 3.1 by following the steps below:

1. In the `ext` directory of your phpBB board, create a new directory named `phpbb` (if it does not already exist) and navigate to it
1. `git clone git@github.com:phpbb-extensions/camo-ssl-image-proxy.git`
1. Navigate in the ACP to `Customise -> Manage extensions`.
1. Look for `Camo SSL Image Proxy` under the Disabled Extensions list, and click its `Enable` link.
1. Navigate in the ACP to 'Extensions -> Camo SSL Image Proxy -> Configure'.
1. Enter the proxy address (without protocol specifier or trailing /) e.g. mydomain.com/camo
1. Enter the camo API key (as applicable)
1. Add at least your sites domain(s) to the Directly Mapped Domains list (without protocol specifier or trailing /) e.g. mydomain.com
1. Ensure that 'Camo Mode' is selected and that 'Image Proxy Enable' is selected

Please note, this requires [Camo](https://github.com/atmos/camo) to have been setup previously.

User avatar
janus_zonstraal
Registered User
Posts: 3216
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Wed Jan 30, 2019 10:51 pm

Can you post a print from the files in your ext folder?

It must be

Code: Select all

 ext/lmdi/multilinks/composer.json
But the extension is [ABD] so
WARNING: Extensions in this forum are not currently being supported nor updated by the original Extension author. Proceed at your own risk.
Sorry! My English is bat ;) !!!

Scottish2
Registered User
Posts: 124
Joined: Sun Mar 04, 2007 3:00 pm

Re: Security

Post by Scottish2 » Thu Jan 31, 2019 1:07 am

janus_zonstraal wrote:
Wed Jan 30, 2019 10:51 pm
Can you post a print from the files in your ext folder?

It must be

Code: Select all

 ext/lmdi/multilinks/composer.json
But the extension is [ABD] so
WARNING: Extensions in this forum are not currently being supported nor updated by the original Extension author. Proceed at your own risk.
I had the extension showing up with an enable feature so I had the composer.json file in the right folder but when I clicked enable it said
Information

The selected extension has an invalid directory structure and cannot be enabled.
But then I also seemed to notice it required some other items as indicated in the follow up post with the red text highlighted! So just trying to find out if something else has to be installed first in order for the CAMO ext to work properly? As it appears this is what is wrong is it's missing this other required bit.

User avatar
janus_zonstraal
Registered User
Posts: 3216
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Thu Jan 31, 2019 7:40 am

You have to install all the other files and folders to, all in the same folder as the composer.json.
Sorry! My English is bat ;) !!!

User avatar
GoBieN
Registered User
Posts: 538
Joined: Fri Mar 05, 2004 5:22 pm
Location: Belgium
Contact:

Re: Security

Post by GoBieN » Thu Jan 31, 2019 2:23 pm

lmdi multilinks is a different extension that has nothing to do with CAMO, it's for adding links in the navbar above.
You can't go deleting folders from extensions that are activated on your board or you will get fatal errors.

Anyways, CAMO is a difficult process to setup. Honestly, don't bother.
But there is another easier way to avoid Mixed Content.

https://www.phpbb.com/customise/db/exte ... s_as_link/
This extension will only show images in BBCODE IMG tag if the image is internal or on a HTTPS secure external site.
If it's not secure it will replace the image with a link to the image.

That might be a solution for you?

Post Reply

Return to “[3.2.x] Support Forum”