Page 1 of 3
Securing Logins
Posted: Wed Apr 26, 2017 6:35 pm
by Cylus Maxii
Can we please implement https for login?
Re: Securing Logins
Posted: Fri Apr 28, 2017 8:07 am
by FishPants
I'll look into it.. I'm hesitant to enhance this version much, but it's a reasonable request. I'll see what the effort is to purchase a cert, and then rewrite URLs to https.
Re: Securing Logins
Posted: Fri Apr 28, 2017 1:32 pm
by FishPants
Cylus Maxii wrote:Can we please implement https for login?
I ordered (and installed) an SSL certificate.. Do me a favour please and try to use the site using https:// and let me know if any problems (before I force this site wide). I think I'll just make the whole damn site SSL rather then doing URL rewriting for login and registration pages.
Re: Securing Logins
Posted: Fri Apr 28, 2017 1:44 pm
by stessier
Works for me using Chrome and prosilver.
Re: Securing Logins
Posted: Fri Apr 28, 2017 1:58 pm
by FishPants
Ok well I added a rewrite in htaccess to force SSL. Let me know if any problems (I also forced all cookies to use secure, so you might get logged out until you relogin under https.. maybe not.. the intertubez is muddy on this).
Anyways good suggestion, thanks.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:00 pm
by stessier
I didn't get logged out, but all the graphics were reloaded (noticed most on the smilies as they popped in rather slowly). No slow down in speed after the first visit to each board, though.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:07 pm
by Isgrimnur
You broke Tapatalk.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:16 pm
by FishPants
Isgrimnur wrote:You broke Tapatalk.
I apparently need to login to tapatalk to configure the dashboard.. I have six passwords in lastpass for tapatalk, none of them work (lastpass and tapatalk never get along...).. So I do a password reset, it never sends me the email to reset the password.
I'll wait and see, but as usual Tapatalk is a bit of a gong show.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:22 pm
by GreenGoo
When I post, the redirect afterwards is broken. from the url it looks like it's tacking on the port number (80 which is standard http. If the port is hard coded, should be 443, no?).
I'll grab the URL and post it here for you, just a sec.
edit: here's the URL from the first time I posted this post.
Code: Select all
https://www.octopusoverlords.com:80/forum/viewtopic.php?f=10&t=94323&p=2467947#p2467947
That's the redirect after the "message has been posted successfully" page, and it fails.
edit2: Removing the port number fixes the URL, fyi. So whatever is inserting the :80 on the end of the domain is breaking it.
edit3: changing :80 to :443 also works, fyi.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:23 pm
by FishPants
Isgrimnur wrote:You broke Tapatalk.
I'm relying using the stupid app. Think I fixed it.
Sent from my iPhone using Tapatalk
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:27 pm
by Isgrimnur
I'm back in through the app. Thank you.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:31 pm
by FishPants
GreenGoo wrote:When I post, the redirect afterwards is broken. from the url it looks like it's tacking on the port number (80 which is standard http. If the port is hard coded, should be 443, no?).
I'll grab the URL and post it here for you, just a sec.
edit: here's the URL from the first time I posted this post.
Code: Select all
https://www.octopusoverlords.com:80/forum/viewtopic.php?f=10&t=94323&p=2467947#p2467947
That's the redirect after the "message has been posted successfully" page, and it fails.
edit2: Removing the port number fixes the URL, fyi. So whatever is inserting the :80 on the end of the domain is breaking it.
edit3: changing :80 to :443 also works, fyi.
Thanks.. I turned off all rewriting in apache and it was still doing it.. found another setting in PHPbb3 that I mucked with, reversed that and it seemed to fix it.. Going to turn rewriting back on and see if the stupid hard coded port comes back (seriously who hard codes a f'ing port).
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:34 pm
by FishPants
Ok I think I have HTTPS rewriting working again, and the referral link after posting working as well as Tapatalk restored. Phew.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:36 pm
by GreenGoo
Yep, working for me. Nice job.
How painful was it?
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:39 pm
by FishPants
Not bad really.. I ordered a cert through rapidssl (reseller of anyways).. $20 for 3 years, took them about 5-6 hours to cough it up though after I submitted the CSR.
The trouble is every jackwagon on the Internet has a different method of doing the rewrite for phpbb3 in Apache.. Ends up 99% of them were wrong. Ended up using a more generic command (and using a system variable for the domain name instead of a hard code) and forced the redirect.
One of these days soon I need to take a bare metal backup of the system, nuke it and upgrade CENTOS.. We are a few major revisions behind (not end of life yet, but our butt is dragging out the back door a bit). In theory with everything plugging in via virtualmin/webmin, recovery of the website and DBs should be relatively painless. I'll probably test that theory first on a local computer running the latest CENTOS of course before I do that (plus our server hardware is at least 5 years old.. might be time to refresh that as well).
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:51 pm
by Isgrimnur
TT is back to busted.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:53 pm
by GreenGoo
Hmmm, I wonder if there might be an Apache wrapper or something that leaves the website in http but serves it as https, which would bypass mucking with php completely, although now you're mucking with Apache. Like standard app server/front end stuff, but all running on the same server.
In any case, you've got it running and nice job.
I'm still on CentOS 6 (as are our prod linux boxes) but I'm in no rush.
nmap tells me OO is running on 3? Heh. Ouch.
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:54 pm
by FishPants
Isgrimnur wrote:TT is back to busted.
Odd not on my end?
Anyone else confirm?
Sent from my iPhone using Tapatalk
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:56 pm
by $iljanus
Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:57 pm
by gilraen
Seems fine on my phone.
Sent from my SM-G900T using Tapatalk
Re: Securing Logins
Posted: Fri Apr 28, 2017 2:57 pm
by $iljanus
$iljanus wrote:Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?
Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.
Re: Securing Logins
Posted: Fri Apr 28, 2017 3:01 pm
by GreenGoo
No sign of ads for me. Is that tapatalk only?
Re: Securing Logins
Posted: Fri Apr 28, 2017 3:02 pm
by $iljanus
Oops yeah it's a tapatalk thing.
Re: Securing Logins
Posted: Fri Apr 28, 2017 3:06 pm
by GreenGoo
$iljanus wrote:Oops yeah it's a tapatalk thing.
No it was clear, I just didn't read your post in context with the other posts around it.
Re: Securing Logins
Posted: Fri Apr 28, 2017 3:15 pm
by Isgrimnur
Back in on the app.
Re: Securing Logins
Posted: Fri Apr 28, 2017 4:05 pm
by hentzau
I had to kill tapatalk to get back in, but I'm in OK now. Thanks!
Re: Securing Logins
Posted: Fri Apr 28, 2017 4:25 pm
by Zarathud
Same here -- but had to quit OO and resubscribe in Tapatalk.
Re: Securing Logins
Posted: Fri Apr 28, 2017 5:00 pm
by $iljanus
Are all the tapatalk users seeing ads now or have they always have had ads and I'm just seeing them now?
Re: Securing Logins
Posted: Fri Apr 28, 2017 5:58 pm
by Cylus Maxii
FishPants wrote:Cylus Maxii wrote:Can we please implement https for login?
I ordered (and installed) an SSL certificate.. Do me a favour please and try to use the site using https:// and let me know if any problems (before I force this site wide). I think I'll just make the whole damn site SSL rather then doing URL rewriting for login and registration pages.
Thanks for this effort! Everything works for me with Edge, Firefox and Tapatalk. I did have to kill TT after it erred the first time, and then it prompted for password the next time.
Re: Securing Logins
Posted: Fri Apr 28, 2017 6:04 pm
by stessier
I came home and am using an android tablet. It says the certificate comes from an untrusted source and i had to agree coming here was unsafe.
Re: Securing Logins
Posted: Fri Apr 28, 2017 6:11 pm
by TheMix
stessier wrote:coming here was unsafe.
Well that's a given. Isn't it?
Re: Securing Logins
Posted: Fri Apr 28, 2017 6:25 pm
by stessier
Yeah, but hadn't realizsd it was documented.
Re: Securing Logins
Posted: Fri Apr 28, 2017 8:33 pm
by FishPants
stessier wrote:I came home and am using an android tablet. It says the certificate comes from an untrusted source and i had to agree coming here was unsafe.
No, cert is from rapidssl this is not a self signed cert. Is this an old android? Maybe I need to install ca chain certain too..?
Re: Securing Logins
Posted: Fri Apr 28, 2017 8:34 pm
by FishPants
$iljanus wrote:$iljanus wrote:Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?
Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.
Oh hell no. I'm on the road for a kiddo competition and am watching the baseball game on my laptop.. I'll check the dashboard in a bit and see what's up with that.
Re: Securing Logins
Posted: Fri Apr 28, 2017 8:44 pm
by Jolor
Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
In via Chrome OK.
Re: Securing Logins
Posted: Fri Apr 28, 2017 8:46 pm
by FishPants
Jolor wrote:Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
In via Chrome OK.
Can you view the cert in Firefox? Sounds like I need to install intermediary certs.
Re: Securing Logins
Posted: Fri Apr 28, 2017 8:51 pm
by FishPants
$iljanus wrote:$iljanus wrote:Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?
Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.
Logged in, tapatalk now wants ME to pay $60 to not enable ads. Fuck them. This app is borderline malware, but I'm not paying them a red cent.
Sorry guys, looks like now you get ads.
Re: Securing Logins
Posted: Fri Apr 28, 2017 9:01 pm
by $iljanus
FishPants wrote:$iljanus wrote:$iljanus wrote:Tapatalk was busted for me around 2:30ish EST but is fine now. Perhaps relogging in will fix it?
Uggh we have ads now though. Didn't have any before. My ad suggests ways to see if your spouse is cheating. Pretty tacky crap.
Logged in, tapatalk now wants ME to pay $60 to not enable ads. Fuck them. This app is borderline malware, but I'm not paying them a red cent.
Sorry guys, looks like now you get ads.
No need to apologize. I wonder if there's another app that's similar? Tapatalk is easier to read and use on my phone but the ads are really intrusive to me. I could pony up some cash to buy the ad free user version I guess or get used to it until I click on an ad by mistake.
Re: Securing Logins
Posted: Fri Apr 28, 2017 9:07 pm
by Jolor
FishPants wrote:Jolor wrote:Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
In via Chrome OK.
Can you view the cert in Firefox? Sounds like I need to install intermediary certs.
Yes. Anything you want me to look for, specifically?
Re: Securing Logins
Posted: Fri Apr 28, 2017 9:42 pm
by FishPants
Jolor wrote:FishPants wrote:Jolor wrote:Firefox 53.0 does not allow:
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
In via Chrome OK.
Can you view the cert in Firefox? Sounds like I need to install intermediary certs.
Yes. Anything you want me to look for, specifically?
Does it show it being a rapidssl cert? And you are using the oo URL?
Sent from my iPhone using Tapatalk