Securing (All) Content via HTTPS?

Sub6Alec

Sub6Alec

Member
Hi,

We're looking to move a XF installation to be 100% secure (eg. everything behind SSL) but issues persist due to user content that is served from non-secure URL's. Is anyone aware of a solution to this that already exists - such as caching the content and then serving securely?

To be honest, I've not looked into this much yet but figured I would post here in case there is something already available or something I should look for.

Thanks in advance!
 
Sub6Alec said:
Hi,

We're looking to move a XF installation to be 100% secure (eg. everything behind SSL) but issues persist due to user content that is served from non-secure URL's. Is anyone aware of a solution to this that already exists - such as caching the content and then serving securely?

To be honest, I've not looked into this much yet but figured I would post here in case there is something already available or something I should look for.

Thanks in advance!
Click to expand...

To the best of my knowledge it just isn't doable without disabling all outside content.
 
Sub6Alec said:
Hi,

We're looking to move a XF installation to be 100% secure (eg. everything behind SSL) but issues persist due to user content that is served from non-secure URL's. Is anyone aware of a solution to this that already exists - such as caching the content and then serving securely?

To be honest, I've not looked into this much yet but figured I would post here in case there is something already available or something I should look for.

Thanks in advance!
Click to expand...
Hi, I wrote a little addon that changes the image bbcode and prepends it with a hashed link to an image proxy running: https://github.com/atmos/camo example url:

https://whyweprotest.net/asset-prox...es.wordpress.com/2011/09/ted-stevens-wins.jpg

The proxy actually runs on another server, the location /asset-proxy/ is done with an nginx upstream entry. No idea how to do that with apache.

The only thing that remains to be fixed is mixed content warnings when people insert the image in the tinymce editor, the javascript loads the image from its original location, considering there's a use of a private key to compose the url, that is a bit more tricky. It's by all means not an elegant plugin as it is and still needs optimizing, but haven't found a developer to give it a look. If you want to give it a try, or hire someone we can split the cost if you like, and I won't mind sharing.

The only reason I didn't release it is that it's not optimal, lacks the tinymce part and needs more work.

Feel free to ask questions.
 
Thank you for the responses. We'll likely leave this as is for now, securing the login page, but it would be a nice addon or standard feature in the future for consideration considering the security implications.
 
Sub6Alec said:
Thank you for the responses. We'll likely leave this as is for now, securing the login page, but it would be a nice addon or standard feature in the future for consideration considering the security implications.
Click to expand...
How do you secure only the login page? There is a chunk of login code at the top of each page, it would require that your container is secured also. At least from my perspective, if you want to have your user login safe. Personally, I secure my forums with SSL and block external images with censoring tool. If the censoring tool would have regex capabilities on both sides, it would be very easy to transform a non secure link into a secure one, passing the data through your domain. Of course this will add to your bandwidth usage instead of the external site, for every image hosted outside.
 
Floren said:
How do you secure only the login page? There is a chunk of login code at the top of each page, it would require that your container is secured also. At least from my perspective, if you want to have your user login safe. Personally, I secure my forums with SSL and block external images with censoring tool. If the censoring tool would have regex capabilities on both sides, it would be very easy to transform a non secure link into a secure one, passing the data through your domain. Of course this will add to your bandwidth usage instead of the external site, for every image hosted outside.
Click to expand...

It's still on my list of things to look into either this week or early next week. At the absolute very least we can force the login POST action to always go over an encrypted connection (for the client <> server password exchange) which is better than nothing... outside of the browser warnings. But, to be fair, I've not played around with XF code nearly as much as I should and therefore I'll need to do a good bit of sleuthing before we can determine what is both feasible and within reason. Things like Twitter, Facebook, Gravatar, Google API's and such all need to be looked at from a 3 second scan of the code.

In light of the recent security exploits we, as everyone should, are looking at all aspects of our security to see what improvements can be made!
 
Of course, and that's what we're looking to do - which is easy if we disallow remote content... was trying to work around that a bit as posting remote content helps a community thrive in many instances.
 
whyweprotest said:
Hi, I wrote a little addon that changes the image bbcode and prepends it with a hashed link to an image proxy running: https://github.com/atmos/camo example url:

https://whyweprotest.net/asset-prox...es.wordpress.com/2011/09/ted-stevens-wins.jpg

The proxy actually runs on another server, the location /asset-proxy/ is done with an nginx upstream entry. No idea how to do that with apache.

The only thing that remains to be fixed is mixed content warnings when people insert the image in the tinymce editor, the javascript loads the image from its original location, considering there's a use of a private key to compose the url, that is a bit more tricky. It's by all means not an elegant plugin as it is and still needs optimizing, but haven't found a developer to give it a look. If you want to give it a try, or hire someone we can split the cost if you like, and I won't mind sharing.

The only reason I didn't release it is that it's not optimal, lacks the tinymce part and needs more work.

Feel free to ask questions.
Click to expand...


I like your proxy project.
Could you tell us how to install it?
 
You must log in or register to reply here.

Similar threads

donwon
Add-on Allowing members who upgrade account to enter shipping address so we can send them a gift.
Replies
2
Views
149
AndyB
AndyB
Fullmoon
XF 2 YouTube Channel In Signature [PAID $40]
Replies
2
Views
477
oO5 Dynasty
oO5 Dynasty
Fullmental
Object Storage/S3 users, how is your I/O performance?
Replies
14
Views
2K
eva2000
eva2000
tristan9
Xenforo and edge caches
Replies
5
Views
1K
motowebmaster
motowebmaster
Jean Carlo
Add-on Facebook and Google login, and other Add-ONs (Paid)
Replies
1
Views
1K
lucien_lies
lucien_lies
Top Bottom