SSL for phpBB

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Suggested Hosts
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
Locked
Riksa
Registered User
Posts: 47
Joined: Sat Nov 12, 2016 3:42 pm

SSL for phpBB

Post by Riksa »

Hello,

I have been awarded SSL - certificate criterion, but how it works phpBB forum. What changes should I do and where. Is there, for example, phpBB settings?

Thank you!
Best regards,
Riksa
User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7795
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: SSL for phpBB

Post by JimA »

You'd need to enable Cookie Secure in your Cookie Settings and change the cookie name there as well (just add one random letter at the end) to make sure all users get a new cookie.

Also, you might need to change the server protocol from "http://" to "https://" in Server Settings.
Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.
User avatar
david63
Registered User
Posts: 18090
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: SSL for phpBB

Post by david63 »

You may also need to have a redirect in your .htaccess file and/or server control panel.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
Riksa
Registered User
Posts: 47
Joined: Sat Nov 12, 2016 3:42 pm

Re: SSL for phpBB

Post by Riksa »

Thank you for advice, what code is written to the .htaccess?
Cookies are trimmed phpbb settings and changed https: // name
Best regards,
Riksa
v12mike
Registered User
Posts: 511
Joined: Thu Jul 09, 2015 5:03 pm

Re: SSL for phpBB

Post by v12mike »

The above advice, although correct, assumes that your web server has already been configured to use your certificate (which may or may not be the case). What happens if you try to access your forum with https:// at the beginning of the url?

You will probably also find that pages with external images show as insecure, and images are not displayed on some browsers unless you also add a secure image extension (see: viewtopic.php?f=456&t=2392726 )
User avatar
John connor
Registered User
Posts: 2557
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: SSL for phpBB

Post by John connor »

You need to first upload your SSL certificate to your server. If you have access to cPanel it makes it easier. Once you do this, change your forum settings as indicated. Please ask your host on how to do this.

Also note, that many hosters that offer a cPanel include the free Letsencrypt service with the push of a button your site is encrypted.

There's lot's more, like HSTS and using CloudFlare to rewrite non-SSL links. But I won't go into detail.
Having spam problems? Install this extension and/or this script.
How to help protect your site from hackers.
0FL ?FE<JKCP K?@EB PFL ;<:F;<;‌​​​​‌‌⁠‌‌​‌‌‌‌⁠‌‌​‌‌‌​⁠‌‌​​‌‌‌⁠‌‌‌​​‌​⁠‌‌​​​​‌⁠‌‌‌​‌​​⁠‌‌‌​‌​‌⁠‌‌​‌‌​​⁠‌‌​​​​‌⁠‌‌‌​‌​​⁠‌‌​‌​​‌⁠‌‌​‌‌‌‌⁠‌‌​‌‌‌​⁠‌‌‌​​‌‌⁠‌​​​​‌⁠‌​​​​​⁠‌​‌‌​​‌⁠‌‌​‌‌‌‌⁠‌‌‌​‌​‌⁠‌​​‌‌‌⁠‌‌‌​​‌​⁠‌‌​​‌​‌⁠‌​​​​​⁠‌‌‌​​‌‌⁠‌‌​‌‌​‌⁠‌‌​​​​‌⁠‌‌‌​​‌​⁠‌‌‌​‌​​⁠‌‌​​‌​‌⁠‌‌‌​​‌​⁠‌​​​​​⁠‌‌‌​‌​​⁠‌‌​‌​​​⁠‌‌​​​​‌⁠‌‌​‌‌‌​⁠‌​​​​​⁠‌​​‌​​‌⁠‌​​​​​⁠‌‌‌​‌​​⁠‌‌​‌​​​⁠‌‌​‌‌‌‌⁠‌‌‌​‌​‌⁠‌‌​​‌‌‌⁠‌‌​‌​​​⁠‌‌‌​‌​​⁠‌​‌‌‌​ K?@J D<JJ8><t +?@EB 8>8@Ec
kaspir
Registered User
Posts: 203
Joined: Sun Jul 27, 2008 5:05 am
Name: Greg
Contact:

Re: SSL for phpBB

Post by kaspir »

John connor wrote:You need to first upload your SSL certificate to your server. If you have access to cPanel it makes it easier. Once you do this, change your forum settings as indicated. Please ask your host on how to do this.

Also note, that many hosters that offer a cPanel include the free Letsencrypt service with the push of a button your site is encrypted.

There's lot's more, like HSTS and using CloudFlare to rewrite non-SSL links. But I won't go into detail.
^^THIS first.
JimA wrote:You'd need to enable Cookie Secure in your Cookie Settings and change the cookie name there as well (just add one random letter at the end) to make sure all users get a new cookie.

Also, you might need to change the server protocol from "http://" to "https://" in Server Settings.
Then this.... ^^^

Next, fix any hardcoded hyperlinks or images in your custom templates that have a http instead of https.

Code: Select all

<img src="//example.com/forums/styles/images/pic.gif"/>
Basically, http images will break your lock. Edit all images to https or leave it out like shown above!


After all that, your going to have to make another decision to make about user posted images, hosted from non-encrypted sites (http). All of your images, MUST be loaded from https OR your SSL lock will be shown as broken in the user browser. It then becomes useless to have those posts secure.. UNLESS!

The post image fix; Check out this awesome ext: https://www.phpbb.com/customise/db/exte ... s_as_link/

.htaccess code (just copy&paste change yoursite) I think you were asking about

Code: Select all

# Forces HTTPS when http is requested.
RewriteCond %{HTTPS} !=on
RewriteRule .* https://YOURSITE.com/%{REQUEST_URI} [R,L]
From there, it's all about encouraging users to either upload images, so you can host, OR host from a https site.. otherwise if the user posts an image hosted elsewhere on a http; it will be parsed into a hyperlink which keeps your pages SSL lock in tact.

Here is a great tool that I'm sure you'll find useful: https://www.whynopadlock.com/

Good luck!


Edit//
v12mike wrote:The above advice, although correct, assumes that your web server has already been configured to use your certificate (which may or may not be the case). What happens if you try to access your forum with https:// at the beginning of the url?

You will probably also find that pages with external images show as insecure, and images are not displayed on some browsers unless you also add a secure image extension (see: viewtopic.php?f=456&t=2392726 )
Nice v12mike, haven't see that ext yet! I might try it out!
World of Phaos RPG online is making it's come back! Play free now!
Check out phpBB contributions & extension downloads. :P
kaspir
Registered User
Posts: 203
Joined: Sun Jul 27, 2008 5:05 am
Name: Greg
Contact:

Re: SSL for phpBB

Post by kaspir »

Just resolved the hosting remote avatars option, where under a SSL, it still allows the user to use http, but will break the lock. Well, NO MORE! Still allow the remote hosted avatars, BUT only from https sites.

The fix, go to where I already posted on friends site: https://hifikabin.me.uk/viewtopic.php?f ... 952#p41952

I strongly suggest being comfortable with editing core files, before doing so. Otherwise, you may want to leave the remote avatar option off until a possible ext is developed.
v12mike wrote:
kaspir wrote:you may want to leave the remote avatar option off until a possible ext is developed.
Camo SSL Image Proxy (v1.1.0) already handles this, either by url rewriting directly to the hosting server (where the hosting server supports https) or by rewriting via a proxy server. No editing of core files required.
Very nice!
Last edited by kaspir on Thu Nov 24, 2016 9:31 am, edited 1 time in total.
World of Phaos RPG online is making it's come back! Play free now!
Check out phpBB contributions & extension downloads. :P
v12mike
Registered User
Posts: 511
Joined: Thu Jul 09, 2015 5:03 pm

Re: SSL for phpBB

Post by v12mike »

kaspir wrote:you may want to leave the remote avatar option off until a possible ext is developed.
Camo SSL Image Proxy (v1.1.0) already handles this, either by url rewriting directly to the hosting server (where the hosting server supports https) or by rewriting via a proxy server. No editing of core files required.
v12mike
Registered User
Posts: 511
Joined: Thu Jul 09, 2015 5:03 pm

Re: SSL for phpBB

Post by v12mike »

v12mike wrote:
kaspir wrote:you may want to leave the remote avatar option off until a possible ext is developed.
Camo SSL Image Proxy (v1.1.0) already handles this, either by url rewriting directly to the hosting server (where the hosting server supports https) or by rewriting via a proxy server. No editing of core files required.
I am sorry to report that the camosslimageproxy extension cannot be discussed on the extension forum any more because DavidIQ has deemed that official phpbb extensions may not be discussed there.
User avatar
noth
Registered User
Posts: 2483
Joined: Fri Jan 07, 2005 7:10 pm
Location: North Surrey
Contact:

Re: SSL for phpBB

Post by noth »

I think it was ABD which is a huge setback for SSL enthusiasts, I am now starting down that path, I have purchased 2 SSL certificates for my smallest 2 sites - in common with many other Admins I am sure, I have phpBB forum as 50% of the site. the other 50% is static HTML pages, text and images and links

so Google have published their own "QUICK GUIDE" To Secure your site with HTTPS
Mixed security elements >> Only embed HTTPS content on HTTPS pages.
HTTPS content ? what is that? because if you're going to tell me pages with Log Ins/ CARTS/ Payments sensitive info, well look at that https page from Google itself! (the QUICK GUIDE above linked) No Log in, no payment screen, no sensitive information or INPUT at all and heeey it's HTTPS
Different content on HTTP and HTTPS >> Make sure the content on your HTTP site and your HTTPS is the same.
your HTTP site and your HTTPS site? What are they talking about? They're saying have 2 versions?
Locked

Return to “[3.1.x] Support Forum”