how to use HTTPS with mybb

[andrewjs18]

it would be nice to have something in the documentation on how to use HTTPS with mybb.

I imagine we'd need to discuss these things:

• how to obtain a cert (let's encrypt seems the easiest)
• switching board URL from http to https
• proxying non-https resources using @Devilshakerz dvz secure content plugin https://community.mybb.com/mods.php?action=view&pid=450

[dvz]

This should also cover:

• TLS setup, cipher suites basics & recommendations (best if outsourced),
• securing the connection between reverse proxies and the forum server (if applicable),
• security headers mentioned in https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers,
• Subresource Integrity,
• DNSSEC,
• monitoring CSP violations with e.g. https://report-uri.io/,
• manual debugging and fixing insecure resources,
• overview of how DVZ Secure Content works and what to expect from it.

It should include some brief theory with links to verified sources for further reading and implementation instructions with examples. A link to the support section on the Community forums wouldn't hurt either, should any problems arise or somebody would like their setup to be verified.

[andrewjs18]

so better suited to be written by a developer, @Devilshakerz? :grimacing:

[JoshHarmon]

ciphers...

Mozilla: https://mozilla.github.io/server-side-tls/ssl-config-generator/ Cipherli.st: https://cipherli.st/

[andrewjs18]

some other useful resources that could be included... http header check: https://securityheaders.io/ http hardening tips: https://scotthelme.co.uk/hardening-your-http-response-headers/ obtaining let's encrypt certs with nginx & ubuntu 14.04: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 obtaining let's encrypt certs with apache & ubuntu 14.04: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04 SSL config testing tool: https://www.ssllabs.com/ssltest/

[dvz]

https://github.com/mybb/docs.mybb.com/commit/5d4d90b1ba24fdaf86efcfe6efaea32049415740

[JoshHarmon]

My thunder has been stolen! I'll find a way to work some of my more thorough detail into some of these sections at some point to make it a bit more comprehensive.

[dvz]

https://github.com/mybb/mybb/issues/2464 will have to be mentioned too once it's merged.

[andrewjs18]

I think this can probably be closed now, yes?

@Devilshakerz, @JoshHarmon

[dvz]

I've outsourced the certificate installation guide to Digicert and Namecheap pages but anyone can feel free to push/PR additional information if it's not mentioned on reputable websites.