Community

SSL on login/register pages

Feature Requests
  • Charly86C

    Hi guys,

    I've setup nodebb on a VPS and I'm very happy with it.
    My site is able to do SSL but I would like to make more secure login/register.
    Of course I could redirect all http to https traffic but it's not what I want, for basic reading I don't think we need this overhead.
    What I've done so far is on Apache config force redirection to SSL on login and register pages like this

    RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/login https://%{SERVER_NAME}/login [R,L]
RewriteRule ^/register https://%{SERVER_NAME}/register [R,L]

    Well in fact the redirection does not work as expected (maybe due to browser/apache cache), when I'm on home page and I click on login, I'm not going to https until I click on "refresh" button on the browser when I'm on login page.
    So I tried to modify the file in the theme (menu.tpl) file by hardcoding as follow

     <!-- IF allowRegistration -->
    <li>
        <a href="https://community.mywebsite.com/register">
          <i class="fa fa-pencil visible-xs-inline"></i>
          <span>[[global:register]]</span>
        </a>
    </li>
<!-- ENDIF allowRegistration -->
<li>
    <a href="https://community.mywebsite.com/login">
      <i class="fa fa-sign-in visible-xs-inline"></i>
      <span>[[global:login]]</span>
    </a>
</li>

    This one does work fine but I don't like it because each theme update will break the modification

    So do you think we could modify something on nodebb to allow SSL on login/register pages ? Below are solutions I thought about in my preference order :

    • have an option on ADMIN GUI settings to force SSL on login/register pages
    • have same option in a configuration file (if it easier to do)
    • have a warning (like danger zone) on register/login page saying user that it's not SSL enable and provide link to click on that will redirect to same page with SSL

    Hope all of this makes sense.

    Thank you very much for your help

    0
  • psychobunnyP

    In my opinion if you have the ability to add SSL, do it for all pages (in fact we do recommend it)

    Think about private chats, posts on private categories. Surely worth the overhead, which I'm sure on a decent VPS is barely noticeable?

    1
  • psychobunnyP

    If you really insist though, I suggest using the custom JS panel in ACP, instead of rewriting templates (as you say, it will be a pain to merge later)

    Use jQuery to detect the action:ajaxify.start event on window to detect the URL (login/register) then if it matches force a redirect via window.history.location = ''

    If you can't figure it out I'll be happy to write it for you. But as I said, you may as well enable SSL throughout, it is the best option.

    0
  • Charly86C

    Hey, good point about private chat and categories, you're right, should have took this decision before, 2 min with nginx 😉

    Thanks

    0
  • Charly86C

    And for those who're interested here the trick on nginx (mine on /etc/nginx/sites-enables/default) for nodebb

    #################################
# community.yourgreatdomain.com #
#################################
server {
    listen   80;
    server_name community.yourgreatdomain.com;
    return 301 https://$server_name$request_uri;
}
server {
    listen   443 ssl;
    server_name community.yourgreatdomain.com;
    ssl_certificate     /etc/ssl/community.yourgreatdomain.com.chain.crt;
    ssl_certificate_key /etc/ssl/community.yourgreatdomain.com.key;

    location / {
        proxy_pass  http://localhost:4567/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_buffering   off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
    1

Suggested Topics

Copyright © 2023 NodeBB | Contributors