Limited SSL Usage in phpBB3

[Sir Glen]

I use SSL with my copy of phpBB3, however I would like to limit its usage to login pages and the ACP. Does anyone know of a way to modify the existing code to accomplish this? It's unnecessary, for my purposes, to secure post content, I mainly want to protect login information from man in the middle attacks.

[ToonArmy]

I usually use Apache to rewrite ucp.php?mode=login and adm/ to use SSL. Far easier than maintaining a code modification.

[Sir Glen]

Ok wait, so how would I do that? I appologize for my horrible ignorance but, I'm horribly ignorant. I run this site for friends for free because they can't afford to pay a real developer and I figure everything out as I go along. How would I do what you're talking about? I'm assuming that I would first disable SSL for the boards in general, then somehow force SSL for the files listed? If that's possible I would LOVE to know the details. I could even see my way clear to paying for the information if it would take a lot of work to write it up.

[Lumpy Burgertushie]

Ok wait, so how would I do that? I appologize for my horrible ignorance but, I'm horribly ignorant. I run this site for friends for free because they can't afford to pay a real developer and I figure everything out as I go along. How would I do what you're talking about? I'm assuming that I would first disable SSL for the boards in general, then somehow force SSL for the files listed? If that's possible I would LOVE to know the details. I could even see my way clear to paying for the information if it would take a lot of work to write it up.

is there some specific reason why you think you need to secure the login etc.?

there are many, many thousands of phpbb boards out there that do not find a need for this.



I would suggest you just forget it and set it up normally.

robert

[Sir Glen]

Yes, there is. My forum is part of a group of communities involved in an EXTREMELY competitive long-term politics simulator called CyberNations. By long-term I mean the current round has been going for over four years. There are frequent hacking attempts on forums in this community because people try to gain access to private discussions related to internal policy for a given nation or alliance of nations or bloc of alliances etc. Long story short hacking is a constant and very real concern for us.

I already have the entire site under an SSL certificate but I would like, as I said, to limit that to login and ACP as those are the real concerns. It's wasteful and troublesome to do more than that because of offsite images and bandwidth concerns due to an obvious lack of image caching.

So advice is much appreciated.

[Sir Glen]

Nobody has any more thoughts on this?

[Oleg]

Try something like this with mod_rewrite.

Code: Select all

RewriteEngine On 

RewriteCond %{SERVER_PORT} !443
RewriteRule ^(/(acp|ucp\.php).*)$ https://www.example.com/$1 [R,L]

RewriteCond %{SERVER_PORT} 443
RewriteRule ^(/(?!(acp|ucp\.php)).*)$ http://www.example.com/$1 [R,L]

I have a feeling this won't work since phpbb does not use a dedicated login page.

Therefore, In addition to above directives, in includes/functions.php find lines containing S_LOGIN_ACTION and U_ACP and prepend your host name with ssl to their values. For example:

Code: Select all

'S_LOGIN_ACTION'		=> build_url(array('f')),

becomes

Code: Select all

'S_LOGIN_ACTION'		=> 'https://www.example.com/' . build_url(array('f')),

and

Code: Select all

'S_LOGIN_ACTION'		=> ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id)),

becomes

Code: Select all

'S_LOGIN_ACTION'		=> 'https://www.example.com/' . ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id)),

and

Code: Select all

'U_ACP' => ($auth->acl_get('a_') && !empty($user->data['is_registered'])) ? append_sid("{$phpbb_root_path}adm/index.$phpEx", false, true, $user->session_id) : '')

becomes

Code: Select all

'U_ACP' => ($auth->acl_get('a_') && !empty($user->data['is_registered'])) ? 'https://www.example.com/' . append_sid("{$phpbb_root_path}adm/index.$phpEx", false, true, $user->session_id) : '')

[Sir Glen]

And if I do that I set the board in general to use the http protocol instead of https?

[Oleg]

Yes, that sounds right.

[ToonArmy]

I have a feeling this won't work since phpbb does not use a dedicated login page.

Hmm that's quite a good point, how annoying. I guess it can be hooked without all those modifications though, I'll give that a go on the weekend.

[Sir Glen]

Hey all, this has been resolved. I did it mostly with changes to .htaccess and one minor code snippet. Thanks again, I really appreciate it.

[Stoepsel]

Care to share what you did? It might someone else in the future.

[ToonArmy]

phpBB hook, no .htaccess rules required, no code modifications needed. http://github.com/cs278/phpbb3/blob/hoo ... ontrol.php

[mrberry]

i have been looking for something like this for awhile and i tried the hooks file method and it would just make my forum load a white blank page. once i removed the file the forums worked again.

btw the other hooks file on that site work well. thanks.

[ToonArmy]

i have been looking for something like this for awhile and i tried the hooks file method and it would just make my forum load a white blank page. once i removed the file the forums worked again.

btw the other hooks file on that site work well. thanks.

What PHP version are you using?