How to get my forum secure with SSL?

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

How to get my forum secure with SSL?

Post by libralion » Fri Feb 17, 2017 2:28 pm

Hi everybody,
I want to have my forum secure with SSL.
Here is my situation:
I have a static website. My hosting provider provides a free ssl certificate. I install that and attach it to my domain.
Then I change the .htaccess file and add this:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
In a subfolder I have a WP blog. To secure that I will install a plugin.
And in another subfolder I have my phpBB forum. How can I get that secure?
Should I add the above .htaccess code to the .htaccess file in the phpBB folder too?
Is that enough?
I do use attachments and several extensions. Also some iframe codes.

Johanna

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21009
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - probably.

Re: How to get my forum secure with SSL?

Post by Mick » Fri Feb 17, 2017 8:55 pm

phpBB doesn't care what else is in other folders so forget those. I'm not sure what you're expecting from using SSL but all the .htaccess code is doing is making sure that everybody that lands on your board uses https, if that's happening you're good to go. Thinking about it, have you changed your cookie secure settings to suit SSL?

FWIW - This is what I use on my test board which was a fresh installation on an SSL server:

Code: Select all

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I can't vouch for the code, I cut & pasted it from somewhere or other but don't duplicate RewriteEngine on.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
noth
Registered User
Posts: 2472
Joined: Fri Jan 07, 2005 7:10 pm
Location: North Surrey
Contact:

Re: How to get my forum secure with SSL?

Post by noth » Fri Feb 17, 2017 9:01 pm

libralion wrote:
Fri Feb 17, 2017 2:28 pm
Hi everybody,
I want to have my forum secure with SSL.


Johanna
hi Johanna I would be interested to hear why you want to, any reason? :P

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 6:36 am

Mick wrote:
Fri Feb 17, 2017 8:55 pm
phpBB doesn't care what else is in other folders so forget those. I'm not sure what you're expecting from using SSL but all the .htaccess code is doing is making sure that everybody that lands on your board uses https, if that's happening you're good to go. Thinking about it, have you changed your cookie secure settings to suit SSL?

FWIW - This is what I use on my test board which was a fresh installation on an SSL server:

Code: Select all

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I can't vouch for the code, I cut & pasted it from somewhere or other but don't duplicate RewriteEngine on.
Hi MIck,
Thanks for the code.
I have the .htaccess from the 3.2 installation.
Do I add your code at the top?
Like this?

Code: Select all

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# Uncomment the statement below if URL rewriting doesn't
# work properly. If you installed phpBB in a subdirectory
# of your site, properly set the argument for the statement.
# e.g.: if your domain is test.com and you installed phpBB
# in http://www.test.com/phpBB/index.php you have to set
# the statement RewriteBase /phpBB/
#
#RewriteBase /

#
# Uncomment the statement below if you want to make use of
# HTTP authentication and it does not already work.
# This could be required if you are for example using PHP via Apache CGI.
#
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

#
# The following 3 lines will rewrite URLs passed through the front controller
# to not require app.php in the actual URL. In other words, a controller is
# by default accessed at /app.php/my/controller, but can also be accessed at
# /my/controller
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ app.php [QSA,L]

#
# If symbolic links are not already being followed,
# uncomment the line below.
# http://anothersysadmin.wordpress.com/2008/06/10/mod_rewrite-forbidden-403-with-apache-228/
#
#Options +FollowSymLinks
</IfModule>

# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
# module mod_authz_host to a new module called mod_access_compat (which may be
# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
# We could just conditionally provide both versions, but unfortunately Apache
# does not explicitly tell us its version if the module mod_version is not
# available. In this case, we check for the availability of module
# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
<IfModule mod_version.c>
	<IfVersion < 2.4>
		<Files "config.php">
			Order Allow,Deny
			Deny from All
		</Files>
		<Files "common.php">
			Order Allow,Deny
			Deny from All
		</Files>
	</IfVersion>
	<IfVersion >= 2.4>
		<Files "config.php">
			Require all denied
		</Files>
		<Files "common.php">
			Require all denied
		</Files>
	</IfVersion>
</IfModule>
<IfModule !mod_version.c>
	<IfModule !mod_authz_core.c>
		<Files "config.php">
			Order Allow,Deny
			Deny from All
		</Files>
		<Files "common.php">
			Order Allow,Deny
			Deny from All
		</Files>
	</IfModule>
	<IfModule mod_authz_core.c>
		<Files "config.php">
			Require all denied
		</Files>
		<Files "common.php">
			Require all denied
		</Files>
	</IfModule>
</IfModule>
And does this code take care of the iframe and bbcodes I have on my board too?
And yes I am planning on changing the cookie settings.

Johanna
Last edited by libralion on Sat Feb 18, 2017 6:42 am, edited 1 time in total.

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 6:40 am

noth wrote:
Fri Feb 17, 2017 9:01 pm
libralion wrote:
Fri Feb 17, 2017 2:28 pm
Hi everybody,
I want to have my forum secure with SSL.


Johanna
hi Johanna I would be interested to hear why you want to, any reason? :P
Hi Noth,
The reason of wanting to make my website and WP Blog and phpBB forum secure is, that I understand Google is going to flag up insecure sites and will do so more in the future, so I don't want my site to be flagged as insecure.
Claire Brotherton is writing lots of articles about webdesign and has now an excellent article about making your site secure. She tells you all about it and how to change it. You can read it here: https://www.abrightclearweb.com/moved-site-http-https/

Johanna

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21009
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - probably.

Re: How to get my forum secure with SSL?

Post by Mick » Sat Feb 18, 2017 10:49 am

libralion wrote:
Sat Feb 18, 2017 6:36 am
Do I add your code at the top?
Like this?
That's how I have mine but, as I said, I got the code from elsewhere, I'm no expert on the matter. All I can say it seems to work for me like that. I suggest you try it and see how it works for you. I don't have any iframes on my test board so can't really comment.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 11:44 am

Mick wrote:
Sat Feb 18, 2017 10:49 am
libralion wrote:
Sat Feb 18, 2017 6:36 am
Do I add your code at the top?
Like this?
That's how I have mine but, as I said, I got the code from elsewhere, I'm no expert on the matter. All I can say it seems to work for me like that. I suggest you try it and see how it works for you. I don't have any iframes on my test board so can't really comment.
Thanks. Mick sinds it is a test board, maybe you can insert an iframe code and see if your site is still secure?
I found this code too. But I wonder if it will work, since my board is in a subfolder and I will also have a code in the . htaccess of my main website. Maybe somebody that is good with PHP can help me out here?

Johanna

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21009
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - probably.

Re: How to get my forum secure with SSL?

Post by Mick » Sat Feb 18, 2017 11:50 am

libralion wrote:
Sat Feb 18, 2017 11:44 am
it is a test board, maybe you can insert an iframe code and see if your site is still secure?
I don't want/wouldn't use iframes sorry but I don't think using HTTPS is going to make your iframes secure if they have bad code inside them, it doesn't work like that.There should be no issue with the board being in a subdomain, the .htacces will only know it's own root as far as I'm aware. You should try it and see what happens, experiment, you won't kill anything. You can also try the web as there is a ton of information available.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 12:41 pm

Mick wrote:
Sat Feb 18, 2017 11:50 am
libralion wrote:
Sat Feb 18, 2017 11:44 am
it is a test board, maybe you can insert an iframe code and see if your site is still secure?
I don't want/wouldn't use iframes sorry but I don't think using HTTPS is going to make your iframes secure if they have bad code inside them, it doesn't work like that.There should be no issue with the board being in a subdomain, the .htacces will only know it's own root as far as I'm aware. You should try it and see what happens, experiment, you won't kill anything. You can also try the web as there is a ton of information available.
I understand. I don't really care if the iframes are secure, but I want my website to get the secure sign from Google. That is why I am asking.
And of course I can try, but it is a complicated situation that I have and I can't try simulating it like with other software.
And I don't know ifd there is much information about making your phpBB board secure. I can't find much about it.

Johanna

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50356
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: How to get my forum secure with SSL?

Post by stevemaury » Sat Feb 18, 2017 1:22 pm

Let's not confuse actual "security" with pandering to Google.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 1:37 pm

stevemaury wrote:
Sat Feb 18, 2017 1:22 pm
Let's not confuse actual "security" with pandering to Google.
Steve that doesn't help at all. Of course I know what you mean, but I still want to do this. And I think if you want to stay ending up in Google in a high position, we should do this.

Johanna

User avatar
Lumpy Burgertushie
Registered User
Posts: 66147
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: How to get my forum secure with SSL?

Post by Lumpy Burgertushie » Sat Feb 18, 2017 4:16 pm

if you are using iframes then there is no way to control whether the content of them is secure or not. I would assume that if you have unsecure websites showing in your iframe that google will notice and cause your site to show unsecure.

also, my opinion is , that you will not really see any noticeable difference in your google rank if you have mixed content on your site. also, remember, google is not the only search engine in the world even if they think and act like they are.

but, it is up to you of course.

luck,
robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 4:37 pm

Lumpy Burgertushie wrote:
Sat Feb 18, 2017 4:16 pm
if you are using iframes then there is no way to control whether the content of them is secure or not. I would assume that if you have unsecure websites showing in your iframe that google will notice and cause your site to show unsecure.

also, my opinion is , that you will not really see any noticeable difference in your google rank if you have mixed content on your site. also, remember, google is not the only search engine in the world even if they think and act like they are.

but, it is up to you of course.

luck,
robert
I understand. Maybe I first have to change all the iframes I have on my forum. I don't think there are too many.
And then after that try to get the ssl to work.
I know Google isn't the only search engine, but it is important.

Johanna

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21033
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: How to get my forum secure with SSL?

Post by RMcGirr83 » Sat Feb 18, 2017 4:52 pm

https://webmasters.googleblog.com/2014/ ... ignal.html
For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
I wouldn't worry about it too much in terms of ranking. The benefit seems minimal at best.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
libralion
Registered User
Posts: 345
Joined: Tue May 13, 2003 9:25 am

Re: How to get my forum secure with SSL?

Post by libralion » Sat Feb 18, 2017 5:21 pm

RMcGirr83 wrote:
Sat Feb 18, 2017 4:52 pm
https://webmasters.googleblog.com/2014/ ... ignal.html
For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
I wouldn't worry about it too much in terms of ranking. The benefit seems minimal at best.
Yes but it isn't only for the ranking that I want do this.
I want my visitors to see the secure sign and not the not safe sign.
WP is going to https in 2017 also, so I better get my entire static site with the wp blog and the phpBB forum on SSL too.

BTW on my phpBB forum I have a lot of images that link to images on my static website. How can I easily change that?
I mean that I don't have to do that one by one.
If I have: http://www.mysite.nl, how can I change all those links to : https://www.mysite.nl?

Johanna

Post Reply

Return to “[3.2.x] Support Forum”