SSL on login/register pages
-
Hi guys,
I've setup nodebb on a VPS and I'm very happy with it.
My site is able to do SSL but I would like to make more secure login/register.
Of course I could redirect all http to https traffic but it's not what I want, for basic reading I don't think we need this overhead.
What I've done so far is on Apache config force redirection to SSL on login and register pages like thisRewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/login https://%{SERVER_NAME}/login [R,L] RewriteRule ^/register https://%{SERVER_NAME}/register [R,L]Well in fact the redirection does not work as expected (maybe due to browser/apache cache), when I'm on home page and I click on login, I'm not going to https until I click on "refresh" button on the browser when I'm on login page.
So I tried to modify the file in the theme (menu.tpl) file by hardcoding as follow<!-- IF allowRegistration --> <li> <a href="https://community.mywebsite.com/register"> <i class="fa fa-pencil visible-xs-inline"></i> <span>[[global:register]]</span> </a> </li> <!-- ENDIF allowRegistration --> <li> <a href="https://community.mywebsite.com/login"> <i class="fa fa-sign-in visible-xs-inline"></i> <span>[[global:login]]</span> </a> </li>This one does work fine but I don't like it because each theme update will break the modification
So do you think we could modify something on nodebb to allow SSL on login/register pages ? Below are solutions I thought about in my preference order :
- have an option on ADMIN GUI settings to force SSL on login/register pages
- have same option in a configuration file (if it easier to do)
- have a warning (like danger zone) on register/login page saying user that it's not SSL enable and provide link to click on that will redirect to same page with SSL
Hope all of this makes sense.
Thank you very much for your help
-
In my opinion if you have the ability to add SSL, do it for all pages (in fact we do recommend it)
Think about private chats, posts on private categories. Surely worth the overhead, which I'm sure on a decent VPS is barely noticeable?
-
If you really insist though, I suggest using the custom JS panel in ACP, instead of rewriting templates (as you say, it will be a pain to merge later)
Use jQuery to detect the
action:ajaxify.startevent onwindowto detect the URL (login/register) then if it matches force a redirect viawindow.history.location = ''If you can't figure it out I'll be happy to write it for you. But as I said, you may as well enable SSL throughout, it is the best option.
-
And for those who're interested here the trick on nginx (mine on /etc/nginx/sites-enables/default) for nodebb
################################# # community.yourgreatdomain.com # ################################# server { listen 80; server_name community.yourgreatdomain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name community.yourgreatdomain.com; ssl_certificate /etc/ssl/community.yourgreatdomain.com.chain.crt; ssl_certificate_key /etc/ssl/community.yourgreatdomain.com.key; location / { proxy_pass http://localhost:4567/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
