Forum version + Web server consideration

Technical support requests for Capitalism Lab
Post Reply
Berbe
Level 3 user
Posts: 94
Joined: Tue Dec 06, 2011 5:16 am

Forum version + Web server consideration

Post by Berbe »

It seems the phpBB forum is currently at version v3.2.1.
v3.2.2 was flagged as an important security release, delivered on January 27th, 2018 while up-to-date version is v3.2.5.

I kow it's a pain, but staying at the most recent release helps reducing the occurrence you from an even more painful full recovery sooner or later...

More information available:
https://www.phpbb.com/support/documents ... &version=3
https://www.phpbb.com/community/viewforum.php?f=14
Last edited by Berbe on Mon Jan 07, 2019 5:57 pm, edited 1 time in total.
Top
Berbe
Level 3 user
Posts: 94
Joined: Tue Dec 06, 2011 5:16 am

Re: Forum version + Web server considerations

Post by Berbe »

By the way, I see the website & forum are serving pages with the 2 following domains: with the following protocols:
  • HTTP
  • HTTPS
What I noticed is it seems the website redirects HTTP -> HTTPS while keeping the requested domain.
The forum does not do such a redirection.

It is especially worrying the forum does not perform an immediate HTTP -> HTTPS redirection, as credentials can then be transmitted over a cleartext (as unencrypted) channel.

I would suggest the following:
  1. Make HTTP -> HTTPS redirection mandatory
  2. Restrict served domain to enlight.com and perform www.enlight.com -> enlight.com redirections (phpBB board would need to have its confiugration changed to generate emails containing enlight.com links instead of www.enlight.com ones)
I also noted you are using nginx v1.14.1 as load-balancer. It would be best to:
  1. Automatically update nginx to latest stable (currently v1.14.2)
  2. Hide nginx version (server_tokens configuration directive)
Top
User avatar
David
Community and Marketing Manager at Enlight
Posts: 10442
Joined: Sat Jul 03, 2010 1:42 pm
Has thanked: 78 times
Been thanked: 229 times

Re: Forum version + Web server consideration

Post by David »

Thanks for the info and suggestions. We will look into it.
Top
User avatar
williammgary1
Level 3 user
Posts: 91
Joined: Mon Apr 16, 2018 10:07 pm

Re: Forum version + Web server considerations

Post by williammgary1 »

Berbe wrote: Mon Jan 07, 2019 5:56 pm By the way, I see the website & forum are serving pages with the 2 following domains: with the following protocols:
  • HTTP
  • HTTPS
What I noticed is it seems the website redirects HTTP -> HTTPS while keeping the requested domain.
The forum does not do such a redirection.

It is especially worrying the forum does not perform an immediate HTTP -> HTTPS redirection, as credentials can then be transmitted over a cleartext (as unencrypted) channel.

I would suggest the following:
  1. Make HTTP -> HTTPS redirection mandatory
  2. Restrict served domain to enlight.com and perform www.enlight.com -> enlight.com redirections (phpBB board would need to have its confiugration changed to generate emails containing enlight.com links instead of www.enlight.com ones)
I also noted you are using nginx v1.14.1 as load-balancer. It would be best to:
  1. Automatically update nginx to latest stable (currently v1.14.2)
  2. Hide nginx version (server_tokens configuration directive)
Might actually explain how my disqus account got used even though I use steam to log-in.
Top
Post Reply

Return to “Capitalism Lab - Technical Support”