Firewater Posted November 13, 2009 Share Posted November 13, 2009 Hi, Security suggestion to have the admin area and logon to run under HTTPS/SSL if enabled in say the inidata.php. what does everyone think? Link to comment Share on other sites More sharing options...
RobertMidd Posted November 13, 2009 Share Posted November 13, 2009 I think that the fact you can rename the admin directory and password protect using a .htaccess file is sufficient security and do not really see the need for HTTPS/SSL. Link to comment Share on other sites More sharing options...
Michael Posted November 13, 2009 Share Posted November 13, 2009 There's a setting for making the logins run under HTTPS as well, just search for HTTPS in the ACP live search box. Link to comment Share on other sites More sharing options...
Firewater Posted November 16, 2009 Author Share Posted November 16, 2009 just because you use .htacces does not make it secure its still sent in plan text, i understand the login and use the SSL feature was thinking more on the lines of if activated the whole admin section would run under SSL. Link to comment Share on other sites More sharing options...
Joriz Posted November 25, 2009 Share Posted November 25, 2009 Modify the following file to something like this: /admin/sources/classes/output/adminOutput.php - Line 132 ... /* Update paths and such */ $this->settings['base_url'] = $this->settings['_original_base_url']; $this->settings['public_url'] = $this->settings['_original_base_url'] . '/index.php?'; $this->settings['_original_base_url'] = str_replace( 'http://', 'https://', $this->settings['_original_base_url'] ); $this->settings['public_url'] = str_replace( 'http://', 'https://', $this->settings['public_url'] ); $this->settings['base_url'] = str_replace( 'http://', 'https://', $this->settings['base_url'] ); $this->settings['public_dir'] = str_replace( 'http://', 'https://', $this->settings['public_dir'] ); Also add this to the .htaccess to force SSL in the admin directory: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://forums.domain.com%{REQUEST_URI} This will make the admin section work almost completely via SSL. Only some images and javascript files aren't loading via SSL which isn't that important. Please note that you first need to have a safe working and installed SSL certificate at your server before this works. I hope this get implemented at a more fancy way in IPB3 as standard option. Link to comment Share on other sites More sharing options...
xplanedotorg Posted December 22, 2009 Share Posted December 22, 2009 Thank you for this. Had no problems following these directions. Link to comment Share on other sites More sharing options...
Painted Horse Posted June 2, 2010 Share Posted June 2, 2010 Hi, Security suggestion to have the admin area and logon to run under HTTPS/SSL if enabled in say the inidata.php. what does everyone think? Ignoring the login area as that is already an option... Yes, it would be nice to be able to have the admin area ALL served via SSL with a built in option (without having to edit code). It's possible to get some of it right now with some code edits, but it doesn't serve everything via SSL - there are still many page elements that end up being served over http which causes a "not all elements on this page are secure" warning. Particularly with the upcoming integration of Nexus, it would make sense for the admin area to be served secure. Link to comment Share on other sites More sharing options...
Neven Golenić Posted June 9, 2010 Share Posted June 9, 2010 Ya, I definately support this :). Link to comment Share on other sites More sharing options...
Wojciech Rebis Posted September 27, 2010 Share Posted September 27, 2010 Also add this to the .htaccess to force SSL in the admin directory:RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://forums.domain.com%{REQUEST_URI} A more flexible version of this rule: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} It might not work always, but for most cases it will work well. Link to comment Share on other sites More sharing options...
Gros Blaireau Posted July 25, 2011 Share Posted July 25, 2011 Modify the following file to something like this: /admin/sources/classes/output/adminOutput.php - Line 132 ... /* Update paths and such */ $this->settings['base_url'] = $this->settings['_original_base_url']; $this->settings['public_url'] = $this->settings['_original_base_url'] . '/index.php?'; $this->settings['_original_base_url'] = str_replace( 'http://', 'https://', $this->settings['_original_base_url'] ); $this->settings['public_url'] = str_replace( 'http://', 'https://', $this->settings['public_url'] ); $this->settings['base_url'] = str_replace( 'http://', 'https://', $this->settings['base_url'] ); $this->settings['public_dir'] = str_replace( 'http://', 'https://', $this->settings['public_dir'] ); Also add this to the .htaccess to force SSL in the admin directory: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://forums.domain.com%{REQUEST_URI} This will make the admin section work almost completely via SSL. Only some images and javascript files aren't loading via SSL which isn't that important. Please note that you first need to have a safe working and installed SSL certificate at your server before this works. I hope this get implemented at a more fancy way in IPB3 as standard option. Thank you very much for this piece of code Joriz. Link to comment Share on other sites More sharing options...
action-reaction Posted February 29, 2012 Share Posted February 29, 2012 Modify the following file to something like this: /admin/sources/classes/output/adminOutput.php - Line 132 ... /* Update paths and such */ $this->settings['base_url'] = $this->settings['_original_base_url']; $this->settings['public_url'] = $this->settings['_original_base_url'] . '/index.php?'; $this->settings['_original_base_url'] = str_replace( 'http://', 'https://', $this->settings['_original_base_url'] ); $this->settings['public_url'] = str_replace( 'http://', 'https://', $this->settings['public_url'] ); $this->settings['base_url'] = str_replace( 'http://', 'https://', $this->settings['base_url'] ); $this->settings['public_dir'] = str_replace( 'http://', 'https://', $this->settings['public_dir'] ); Also add this to the .htaccess to force SSL in the admin directory: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://forums.domain.com%{REQUEST_URI} This will make the admin section work almost completely via SSL. Only some images and javascript files aren't loading via SSL which isn't that important. Please note that you first need to have a safe working and installed SSL certificate at your server before this works. I hope this get implemented at a more fancy way in IPB3 as standard option. Is there an update for this nice code, please ? Link to comment Share on other sites More sharing options...
action-reaction Posted April 5, 2012 Share Posted April 5, 2012 Once again, it doesn't work with the new release... :dry: Hey staff : JUST ADD THIS OPTION ONCE FOR ALL, EVERYBODY WANT IT ! Link to comment Share on other sites More sharing options...
Mrdoodle Posted October 19, 2012 Share Posted October 19, 2012 Im going to wake up this old thread. This could still be a usefull feature. The issue now, is that the admin portion of the board uses features from the regular forum section. So forcing SSL using htaccess will make some browser not display the unsecured content, ie css, javascripts and such, so the admin CP will be a bit messed up. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.