1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing (All) Content via HTTPS?

Discussion in 'General XenForo Discussion and Feedback' started by Sub6Alec, Jun 11, 2012.

  1. Sub6Alec

    Sub6Alec Member


    We're looking to move a XF installation to be 100% secure (eg. everything behind SSL) but issues persist due to user content that is served from non-secure URL's. Is anyone aware of a solution to this that already exists - such as caching the content and then serving securely?

    To be honest, I've not looked into this much yet but figured I would post here in case there is something already available or something I should look for.

    Thanks in advance!
  2. Slavik

    Slavik XenForo Moderator Staff Member

    To the best of my knowledge it just isn't doable without disabling all outside content.
  3. whyweprotest

    whyweprotest Well-Known Member

    Hi, I wrote a little addon that changes the image bbcode and prepends it with a hashed link to an image proxy running: https://github.com/atmos/camo example url:


    The proxy actually runs on another server, the location /asset-proxy/ is done with an nginx upstream entry. No idea how to do that with apache.

    The only thing that remains to be fixed is mixed content warnings when people insert the image in the tinymce editor, the javascript loads the image from its original location, considering there's a use of a private key to compose the url, that is a bit more tricky. It's by all means not an elegant plugin as it is and still needs optimizing, but haven't found a developer to give it a look. If you want to give it a try, or hire someone we can split the cost if you like, and I won't mind sharing.

    The only reason I didn't release it is that it's not optimal, lacks the tinymce part and needs more work.

    Feel free to ask questions.
  4. Sub6Alec

    Sub6Alec Member

    Thank you for the responses. We'll likely leave this as is for now, securing the login page, but it would be a nice addon or standard feature in the future for consideration considering the security implications.
  5. Floren

    Floren Well-Known Member

    How do you secure only the login page? There is a chunk of login code at the top of each page, it would require that your container is secured also. At least from my perspective, if you want to have your user login safe. Personally, I secure my forums with SSL and block external images with censoring tool. If the censoring tool would have regex capabilities on both sides, it would be very easy to transform a non secure link into a secure one, passing the data through your domain. Of course this will add to your bandwidth usage instead of the external site, for every image hosted outside.
  6. Sub6Alec

    Sub6Alec Member

    It's still on my list of things to look into either this week or early next week. At the absolute very least we can force the login POST action to always go over an encrypted connection (for the client <> server password exchange) which is better than nothing... outside of the browser warnings. But, to be fair, I've not played around with XF code nearly as much as I should and therefore I'll need to do a good bit of sleuthing before we can determine what is both feasible and within reason. Things like Twitter, Facebook, Gravatar, Google API's and such all need to be looked at from a 3 second scan of the code.

    In light of the recent security exploits we, as everyone should, are looking at all aspects of our security to see what improvements can be made!
  7. Floren

    Floren Well-Known Member

    Just host the entire forums through SSL, is the proper way to do it.
    And use OpenSSL 1.0.1c, not the crazy old versions available in CentOS. :)
  8. Sub6Alec

    Sub6Alec Member

    Of course, and that's what we're looking to do - which is easy if we disallow remote content... was trying to work around that a bit as posting remote content helps a community thrive in many instances.
  9. Dinh Thanh

    Dinh Thanh Well-Known Member

    I like your proxy project.
    Could you tell us how to install it?

Share This Page