Hi,

Security suggestion to have the admin area and logon to run under HTTPS/SSL if enabled in say the inidata.php.

what does everyone think?

I think that the fact you can rename the admin directory and password protect using a .htaccess file is sufficient security and do not really see the need for HTTPS/SSL.

There's a setting for making the logins run under HTTPS as well, just search for HTTPS in the ACP live search box.

just because you use .htacces does not make it secure its still sent in plan text, i understand the login and use the SSL feature was thinking more on the lines of if activated the whole admin section would run under SSL.

Modify the following file to something like this:
/admin/sources/classes/output/adminOutput.php - Line 132 ...

 		/* Update paths and such */

		$this->settings['base_url']		= $this->settings['_original_base_url'];

		$this->settings['public_url'] = $this->settings['_original_base_url'] . '/index.php?';

		$this->settings['_original_base_url'] = str_replace( 'http://', 'https://', $this->settings['_original_base_url'] );

		$this->settings['public_url'] = str_replace( 'http://', 'https://', $this->settings['public_url'] );

		$this->settings['base_url'] = str_replace( 'http://', 'https://', $this->settings['base_url'] );

		$this->settings['public_dir'] = str_replace( 'http://', 'https://', $this->settings['public_dir'] );

Also add this to the .htaccess to force SSL in the admin directory:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://forums.domain.com%{REQUEST_URI}

This will make the admin section work almost completely via SSL. Only some images and javascript files aren't loading via SSL which isn't that important.
Please note that you first need to have a safe working and installed SSL certificate at your server before this works.

I hope this get implemented at a more fancy way in IPB3 as standard option.

Thank you for this. Had no problems following these directions.

Hi,

Security suggestion to have the admin area and logon to run under HTTPS/SSL if enabled in say the inidata.php.

what does everyone think?

Ignoring the login area as that is already an option...
Yes, it would be nice to be able to have the admin area ALL served via SSL with a built in option (without having to edit code). It's possible to get some of it right now with some code edits, but it doesn't serve everything via SSL - there are still many page elements that end up being served over http which causes a "not all elements on this page are secure" warning.

Particularly with the upcoming integration of Nexus, it would make sense for the admin area to be served secure.

Ya, I definately support this :).

Also add this to the .htaccess to force SSL in the admin directory:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://forums.domain.com%{REQUEST_URI}

A more flexible version of this rule:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

It might not work always, but for most cases it will work well.

Modify the following file to something like this:

/admin/sources/classes/output/adminOutput.php - Line 132 ...

		/* Update paths and such */

		$this->settings['base_url']		= $this->settings['_original_base_url'];

		$this->settings['public_url'] = $this->settings['_original_base_url'] . '/index.php?';

		$this->settings['_original_base_url'] = str_replace( 'http://', 'https://', $this->settings['_original_base_url'] );

		$this->settings['public_url'] = str_replace( 'http://', 'https://', $this->settings['public_url'] );

		$this->settings['base_url'] = str_replace( 'http://', 'https://', $this->settings['base_url'] );

		$this->settings['public_dir'] = str_replace( 'http://', 'https://', $this->settings['public_dir'] );

Also add this to the .htaccess to force SSL in the admin directory:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://forums.domain.com%{REQUEST_URI}

This will make the admin section work almost completely via SSL. Only some images and javascript files aren't loading via SSL which isn't that important.
Please note that you first need to have a safe working and installed SSL certificate at your server before this works.

I hope this get implemented at a more fancy way in IPB3 as standard option.

Thank you very much for this piece of code Joriz.

Modify the following file to something like this:

/admin/sources/classes/output/adminOutput.php - Line 132 ...

		/* Update paths and such */

		$this->settings['base_url']		= $this->settings['_original_base_url'];

		$this->settings['public_url'] = $this->settings['_original_base_url'] . '/index.php?';

		$this->settings['_original_base_url'] = str_replace( 'http://', 'https://', $this->settings['_original_base_url'] );

		$this->settings['public_url'] = str_replace( 'http://', 'https://', $this->settings['public_url'] );

		$this->settings['base_url'] = str_replace( 'http://', 'https://', $this->settings['base_url'] );

		$this->settings['public_dir'] = str_replace( 'http://', 'https://', $this->settings['public_dir'] );

Also add this to the .htaccess to force SSL in the admin directory:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://forums.domain.com%{REQUEST_URI}

This will make the admin section work almost completely via SSL. Only some images and javascript files aren't loading via SSL which isn't that important.
Please note that you first need to have a safe working and installed SSL certificate at your server before this works.

I hope this get implemented at a more fancy way in IPB3 as standard option.

Is there an update for this nice code, please ?

Once again, it doesn't work with the new release...

:dry:

Hey staff : JUST ADD THIS OPTION ONCE FOR ALL, EVERYBODY WANT IT !

Im going to wake up this old thread.

This could still be a usefull feature.

The issue now, is that the admin portion of the board uses features from the regular forum section. So forcing SSL using htaccess will make some browser not display the unsecured content, ie css, javascripts and such, so the admin CP will be a bit messed up.