Securing Logins

[Cylus Maxii]

Can we please implement https for login?

[FishPants]

I'll look into it.. I'm hesitant to enhance this version much, but it's a reasonable request. I'll see what the effort is to purchase a cert, and then rewrite URLs to https.

[FishPants]

Can we please implement https for login?

I ordered (and installed) an SSL certificate.. Do me a favour please and try to use the site using https:// and let me know if any problems (before I force this site wide). I think I'll just make the whole damn site SSL rather then doing URL rewriting for login and registration pages.

[stessier]

Works for me using Chrome and prosilver.

[FishPants]

Ok well I added a rewrite in htaccess to force SSL. Let me know if any problems (I also forced all cookies to use secure, so you might get logged out until you relogin under https.. maybe not.. the intertubez is muddy on this).

Anyways good suggestion, thanks.

[stessier]

I didn't get logged out, but all the graphics were reloaded (noticed most on the smilies as they popped in rather slowly). No slow down in speed after the first visit to each board, though.

[Isgrimnur]

You broke Tapatalk.

[FishPants]

You broke Tapatalk.

I apparently need to login to tapatalk to configure the dashboard.. I have six passwords in lastpass for tapatalk, none of them work (lastpass and tapatalk never get along...).. So I do a password reset, it never sends me the email to reset the password.

I'll wait and see, but as usual Tapatalk is a bit of a gong show.

[GreenGoo]

When I post, the redirect afterwards is broken. from the url it looks like it's tacking on the port number (80 which is standard http. If the port is hard coded, should be 443, no?).

I'll grab the URL and post it here for you, just a sec.

edit: here's the URL from the first time I posted this post.

Code: Select all

https://www.octopusoverlords.com:80/forum/viewtopic.php?f=10&t=94323&p=2467947#p2467947

That's the redirect after the "message has been posted successfully" page, and it fails.

edit2: Removing the port number fixes the URL, fyi. So whatever is inserting the :80 on the end of the domain is breaking it.

edit3: changing :80 to :443 also works, fyi.

[FishPants]

You broke Tapatalk.

I'm relying using the stupid app. Think I fixed it.


Sent from my iPhone using Tapatalk

[Isgrimnur]

I'm back in through the app. Thank you.

[FishPants]

When I post, the redirect afterwards is broken. from the url it looks like it's tacking on the port number (80 which is standard http. If the port is hard coded, should be 443, no?).

I'll grab the URL and post it here for you, just a sec.

edit: here's the URL from the first time I posted this post.

Code: Select all

https://www.octopusoverlords.com:80/forum/viewtopic.php?f=10&t=94323&p=2467947#p2467947

That's the redirect after the "message has been posted successfully" page, and it fails.

edit2: Removing the port number fixes the URL, fyi. So whatever is inserting the :80 on the end of the domain is breaking it.

edit3: changing :80 to :443 also works, fyi.

Thanks.. I turned off all rewriting in apache and it was still doing it.. found another setting in PHPbb3 that I mucked with, reversed that and it seemed to fix it.. Going to turn rewriting back on and see if the stupid hard coded port comes back (seriously who hard codes a f'ing port).

[FishPants]

Ok I think I have HTTPS rewriting working again, and the referral link after posting working as well as Tapatalk restored. Phew.

[GreenGoo]

Yep, working for me. Nice job.

How painful was it?

[FishPants]

Not bad really.. I ordered a cert through rapidssl (reseller of anyways).. $20 for 3 years, took them about 5-6 hours to cough it up though after I submitted the CSR.

The trouble is every jackwagon on the Internet has a different method of doing the rewrite for phpbb3 in Apache.. Ends up 99% of them were wrong. Ended up using a more generic command (and using a system variable for the domain name instead of a hard code) and forced the redirect.

One of these days soon I need to take a bare metal backup of the system, nuke it and upgrade CENTOS.. We are a few major revisions behind (not end of life yet, but our butt is dragging out the back door a bit). In theory with everything plugging in via virtualmin/webmin, recovery of the website and DBs should be relatively painless. I'll probably test that theory first on a local computer running the latest CENTOS of course before I do that (plus our server hardware is at least 5 years old.. might be time to refresh that as well).

[Isgrimnur]

TT is back to busted.

[GreenGoo]

Hmmm, I wonder if there might be an Apache wrapper or something that leaves the website in http but serves it as https, which would bypass mucking with php completely, although now you're mucking with Apache. Like standard app server/front end stuff, but all running on the same server.

In any case, you've got it running and nice job.

I'm still on CentOS 6 (as are our prod linux boxes) but I'm in no rush.

nmap tells me OO is running on 3? Heh. Ouch.

[FishPants]

TT is back to busted.

Odd not on my end?

Anyone else confirm?


Sent from my iPhone using Tapatalk

[$iljanus]

Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?

[gilraen]

Seems fine on my phone.

Sent from my SM-G900T using Tapatalk

[$iljanus]

Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?

Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.

[GreenGoo]

No sign of ads for me. Is that tapatalk only?

[$iljanus]

Oops yeah it's a tapatalk thing.

[GreenGoo]

Oops yeah it's a tapatalk thing.

No it was clear, I just didn't read your post in context with the other posts around it.

[Isgrimnur]

Back in on the app.

[hentzau]

I had to kill tapatalk to get back in, but I'm in OK now. Thanks!

[Zarathud]

Same here -- but had to quit OO and resubscribe in Tapatalk.

[$iljanus]

Are all the tapatalk users seeing ads now or have they always have had ads and I'm just seeing them now?

[Cylus Maxii]

Can we please implement https for login?

I ordered (and installed) an SSL certificate.. Do me a favour please and try to use the site using https:// and let me know if any problems (before I force this site wide). I think I'll just make the whole damn site SSL rather then doing URL rewriting for login and registration pages.

Thanks for this effort! Everything works for me with Edge, Firefox and Tapatalk. I did have to kill TT after it erred the first time, and then it prompted for password the next time.

[stessier]

I came home and am using an android tablet. It says the certificate comes from an untrusted source and i had to agree coming here was unsafe.

[TheMix]

coming here was unsafe.

Well that's a given. Isn't it?

[stessier]

Yeah, but hadn't realizsd it was documented.

[FishPants]

I came home and am using an android tablet. It says the certificate comes from an untrusted source and i had to agree coming here was unsafe.

No, cert is from rapidssl this is not a self signed cert. Is this an old android? Maybe I need to install ca chain certain too..?

[FishPants]

Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?

Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.

Oh hell no. I'm on the road for a kiddo competition and am watching the baseball game on my laptop.. I'll check the dashboard in a bit and see what's up with that.

[Jolor]

Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

In via Chrome OK.

[FishPants]

Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

In via Chrome OK.

Can you view the cert in Firefox? Sounds like I need to install intermediary certs.

[FishPants]

Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?

Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.

Logged in, tapatalk now wants ME to pay $60 to not enable ads. Fuck them. This app is borderline malware, but I'm not paying them a red cent.

Sorry guys, looks like now you get ads.

[$iljanus]

Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?

Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.

Logged in, tapatalk now wants ME to pay $60 to not enable ads. Fuck them. This app is borderline malware, but I'm not paying them a red cent.

Sorry guys, looks like now you get ads.

No need to apologize. I wonder if there's another app that's similar? Tapatalk is easier to read and use on my phone but the ads are really intrusive to me. I could pony up some cash to buy the ad free user version I guess or get used to it until I click on an ad by mistake.

[Jolor]

Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

In via Chrome OK.

Can you view the cert in Firefox? Sounds like I need to install intermediary certs.

Yes. Anything you want me to look for, specifically?

[FishPants]

Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

In via Chrome OK.

Can you view the cert in Firefox? Sounds like I need to install intermediary certs.

Yes. Anything you want me to look for, specifically?

Does it show it being a rapidssl cert? And you are using the oo URL?


Sent from my iPhone using Tapatalk