miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Custom Tutorials and Modifications miniBB Support Forums / Custom Tutorials and Modifications /  
 

Switching your forum or domain properly to SSL / https

 
Author Paul
Lead Developer 
#1 | Posted: 17 Jul 2020 16:29 
This guide will help you to complete some extra steps, when switching a regular domain, which starts from 'http://', to a secure domain, which starts with 'https://' – this all actually means you have to purchase and install an SSL certificate, which could be of various security level and therefore price. Usually it all could be done with your hosting provider's powers; but you could also to install it on your own.

Introducing SSL on your domain, you should be aware of the following: while a regular domain would load in any outdated browser, a secured domain with the modern certificate will not. Truly old browsers, and their will owners be unable to read your website. Installing SSL, you would actually cut-off bits of insecure traffic.

After SSL is installed and 'https' is on, keep the regular version of your domain alive and pointing to the same website. In the guide below, I'll describe how to set up a proper redirection from 'http' to 'https', but you could also run both versions, despite it's not about SEO.

This guide also supposes you already have miniBB program installed and running.

1. VERIFY YOUR SSL

Initially, before we go to anything else, after installing an SSL certificate test your updated domain using some online tool, which would validate its security leaks; I've used Why No Padlock:

Why No Padlock – test results

For more detailed results, try the SSL labs test tool.

Your domain should pass all tests and you should have all green ticks in test results like shown above. If some red issue comes up, follow its description, usually it gives everything to search over, and fix it.

If one of the verification sections says "You currently have TLSv1 enabled", and that's why the domain's not fully verified (like it was in my case), then you should disable TLSv1 in your web server configuration. For Apache on Ubuntu, edit /etc/apache2/mods-enabled/ssl.conf and there update the 'SSLProtocol' value with the following:

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Next, we proceed to miniBB software requiring some extra actions, if you run it on a secured domain.

2. SET UP A PROPER REDIRECTION

Look in setup_options.php, and at first, checkt the $main_url setting – URL to your forums should start with 'https://'.

In the same file, you could set up a forced redirection to 'https' if a regular domain has been entered. I know there are a lot of solution for Apache's .htaccess, but most of them I've tried either did not work, either were not compatible with my Apache configuration. Also, if you are on a server other than Apache, the PHP-code solution would work best.

So, for setting up such a redirection, at first, at the very top of setup_options.php, right after the starting <?php tag, add the following code (it determines, if we are on a secured domain or not):

/* Forcing HTTPS redirection – initial step */
if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) {
$add_s='s';
}
else $add_s='';
/* --Forcing HTTPS redirection – initial step */
And closely to the bottom of setup_options.php, before the closing ?>, add the redirection code itself:

/* Forcing SSL redirection */
if($add_s==''){
if(isset($_SERVER['SERVER_PROTOCOL']) and ($_SERVER['SERVER_PROTOCOL']=='HTTP/1.0' or $_SERVER['SERVER_PROTOCOL']=='HTTP/1.1') ) $proto=$_SERVER['SERVER_PROTOCOL']; else $proto='HTTP/1.1';

if(!isset($rheader)) $rheader='Location:';

$link = 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

header($proto.' 301 Moved Permanently');
header("{$rheader}{$link}");
exit;

}
/* --Forcing SSL redirection */
This code takes some duplicates from index.php, but that's the only detail of it. It works here on miniBB forums for nearly about 4 months by now, from the date when miniBB switched to https.

3. UPDATE DATABASE

The next step is not necessary for new forums started from scratch; however if you run an existing forum over 'http' and now switched to 'https', it is.

Enter your database tool, phpMyAdmin or anything else from where you could execute SQL commands.

With the command below (substitute your own table name and a domain!), you'll just make obvious that some records in your forum database contain older regular URL:

select count(*) from minibbtable_posts where post_text like '%http://www.minibb.com%';
If result shows 0 records, you probably have to do nothing else from below, supposing you have no references to your URL in forum posts.

Otherwise, executing the commands below you'll update your older domain to a new one (substitute your own table name and a domain!) – this will also replace regular URLs of <IMG> tags:

update minibbtable_posts set post_text=replace(post_text, 'http://www.minibb.com', 'https://www.minibb.com') where post_text like '%http://www.minibb.com%';
Note that the command above searches for, and replaces a strictly lowercase string. You must check for different letter case variations to replace everything (for example, here on miniBB forums I've also replaced the string like 'http://www.miniBB.com').

4. TAKE CARE OF EMBEDDED CONTENT

A big headache about SSL-based domain for a miniBB forum is that by default there's allowed to embed 3rd party contents from external websites, as pictures. In a post, they could be referenced by an [img] or [/imgs] BB code. If such pictures are referenced to a regular non-secured domain, a topic when they appear would contain so called 'mixed' content, and the browser would display an exclamation sign indicating you are loading up insecured contents on a secured domain, like this:

Exclamation of SSL

Or – there could be no exclamation sign at all, and the browser will load such a "mixed content" page in the insecured mode, ignoring SSL.

There's a work-around for eliminating this issue – disable embedding 3rd party images from insecured domains. For this, modify bb_codes.php, look up for [imgs] or [img] tag codes. In these codes, replace http[s]* to just https – it will force external images being embedded from secured URLs only.

I have coded a little script, it shows all posts containing embedded images, which refer to insecured http-URLs. You could easily navigate to such messages and manually edit them, updating the tags with secure links. Download it from here.

Copy msg.php from the Advanced Anchors add-on to your forum, if you didn't it before. The add-on is tied up with this script.
All options are located inside of this script, and you should probably skip modifying them, as defaults work for most configurations. Pay attention: the script could skip checking messages in closed forums, which are hidden from public. For this, set up the following:

$checkClosedForums=TRUE;
My personal recommendation is to keep all external images either referenced to 'https', either stored locally (preferred). Storing on a local server means you never lose an important content (but you already know that nothing lives forever in internet), and it's always compatible with your current security mode. If a referenced picture is closely tied up with the content, always avoid keeping it on a 3rd party server – move to your local storage. We use File Bank add-on for this purpose.

5. GIVE YOUR COMMENTS OR QUESTIONS

This thread is opened for everyone, including guests, giving questions or comments on this subject. Correct me if I'm wrong, or give a candy below. Thanks for attention :)

Author marsbar
Associated Member
#2 | Posted: 18 Jul 2020 15:15 
Hi, Paul.

Thanks so much for putting together this helpful guide!

Regarding step 2 — setting up redirects: I already have my $main_url set as per your recommendation, plus I also have .htaccess rules set up to force http requests to https for my entire site of which my miniBB is a part. Do I still need to implement your PHP solution?

Steps 3 and 4 worked well for me.

And this message is step 5. :)

With thanks,
marsbar

Author tom322
Active Member
#3 | Posted: 19 Jul 2020 05:40 
In point #3, I'd probably check for both www and non-www version of the domain in case some posts contain them or not.

Regarding marsbar's .htaccess question about #2, I use just .htaccess redirections and they are executed before PHP so it's been working for me well and should be enough.

Author Paul
Lead Developer 
#4 | Posted: 19 Jul 2020 14:38 
marsbar:
Do I still need to implement your PHP solution?
If .htaccess is working fine for you, you don't have to apply my codes. Though I must say, PHP redirections for miniBB are more reliable, you dont't have to re-install .htaccess for another Apache version or even server, in common, if you move the forum.

tom322:
I'd probably check for both www and non-www version of the domain in case some posts contain them or not.
This is correct; then my codes just should be just executed twice for www- and non-www domains. For example, amongst the code provided in the Step #3 above execute the similar:

update minibbtable_posts set post_text=replace(post_text, 'http://minibb.com', 'https://www.minibb.com') where post_text like '%http://minibb.com%';

Author marsbar
Associated Member
#5 | Posted: 26 Jul 2020 03:40 
Thank you so much for your advice, Paul and tom322!
Cheers,
marsbar

Custom Tutorials and Modifications miniBB Support Forums / Custom Tutorials and Modifications /
 Switching your forum or domain properly to SSL / https
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Install the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑