Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
IMG Cacher - SSL Keeper - Mixed Content Block Solution Details »
IMG Cacher - SSL Keeper - Mixed Content Block Solution
Mod Version: 2.2, by MegaManSec (Member) MegaManSec is offline
Developer Last Online: Dec 2016 I like it Show Printable Version Email this Page

vB Version: 4.1.x Rating: (10 votes - 5.00 average) Installs: 96
Released: 20 Sep 2012 Last Update: 30 Oct 2013 Downloads: 492
Not Supported Uses Plugins Template Edits Additional Files Re-usable Code Translations External Content  

Pretty much you use this when you want to keep the SSL certificete working on pages that people may use [IMG] tag's without https://.

When you use SSL on your forum, and somebody embeds an image from a non-ssl host, lots of browsers will give you a warning and say the website is unsafe ---this is a solution to that problem.

Specifically, Mozilla has a 'Mixed Content Blocker', which makes it so if you are on an https:// website, it won't load any content on the same domain, using http://.



NOTE: MAKE SURE THE .HTACCESS FILE IN cache-img/ IS WORKING!



Upload the files into your root directory, and that's it.

Then you need to create a plugin (admincp -> plugins & products -> add new plugin)
Hook location: bbcode_img_match
Title: SSL IMG Cacher
Execution order: 5
Plugin PHP Code:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Plugin is active: Yes


edit "[LINK_TO_YOUR_WEBSITE]" - Without http, example: www.dragonbyte-tech.com or www.internot.info etc. etc.

Then you are done.

It should be secure as the actual directory for the images is not available.(deny from all in htaccess)


I would also suggest adding this to robots.txt

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Also I suggest you add something like this to .htaccess:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

======
I only give support to people who have pressed 'installed' this.
======


Source&stuff can be found here: https://github.com/MegaManSec/IMG

For vB3.8 solution, go here: http://www.vbulletin.org/forum/showt...75#post2411575 (Thanks to Kh99)

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
  #61  
Old 23 Oct 2017, 19:52
djbaxter djbaxter is offline
 
Join Date: Aug 2006
Location: Ottawa, Canada
Start by trying to determine what is causing the mixed content flags: It may be scripts or advertising (including AdSense) as well as images. Test your site here:

Why No Padlock? - Why is my SSL web page insecure? Find the culprit!

SSL-check: crawl your HTTPS website and find unsecure content

Website Scanner

Address any errors you see there. Sometimes, just replacing http:// with simply // will do the trick in scripts and plugins.

Also, even if it's only images, you won't see an immediate result. You'll need to allow some time to scan all your images - and that may take a while if you have a lot of them.

Are you seeing any entries in the cache-img folder?
Reply With Quote
  #62  
Old 23 Oct 2017, 19:56
BGObsession's Avatar
BGObsession BGObsession is offline
 
Join Date: Apr 2009
I'll take a look at those resources.

No - I'm not seeing anything in the cache-img folder except for the .htaccess file so far...
Reply With Quote
  #63  
Old 23 Oct 2017, 19:56
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
That's because you still have a lot of resources that are served over HTTP, things that this plugin doesn't take care of.

Example:
Mixed Content: The page at 'https://www.bgobsession.com/content.php/1079-Blognostications-Week-7-Redskins-at-Eagles-Edition' was loaded over HTTPS, but requested an insecure image 'http://bgobsession.com/images/smilies/smile.png'. This content should also be served over HTTPS.

Mixed Content: The page at 'https://www.bgobsession.com/forum.php?home=1' was loaded over HTTPS, but requested an insecure image 'http://bgobsession.com/images/icons/icon1.png'.

In the AdminCP under Styles & Templates, create a replacement rule of:
http://www.bgobsession.com to https://www.bgobsession.com
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #64  
Old 23 Oct 2017, 20:01
BGObsession's Avatar
BGObsession BGObsession is offline
 
Join Date: Apr 2009
So - ran my site's homepage on the first tool. Here's what I get... So why would I still be getting the mixed content warning?
Attached Images
File Type: jpg scanresults.jpg (50.7 KB, 50 views)
Reply With Quote
  #65  
Old 23 Oct 2017, 20:14
BGObsession's Avatar
BGObsession BGObsession is offline
 
Join Date: Apr 2009
The replacement variable addition fixed a lot of it - thanks so much dj (should've thought of that myself!).

Have a few image links that are still showing up insecure on my forums page.

Total number of items: 133
Number of insecure items: 2
Insecure URL: http://bgobsession.com/images/icons/icon1.png
Found in: https://www.bgobsession.com/forum.php?home=1

Insecure URL: http://bgobsession.com/images/icons/icon4.png
Found in: https://www.bgobsession.com/forum.php?home=1

Not to be dense, but where do I change the image urls for forum page icons?
Reply With Quote
  #66  
Old 23 Oct 2017, 20:16
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Try making another replacement rule of:
http://bgobsession.com to https://www.bgobsession.com
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #67  
Old 23 Oct 2017, 20:26
BGObsession's Avatar
BGObsession BGObsession is offline
 
Join Date: Apr 2009
That did it - thanks so much!
Reply With Quote
  #68  
Old 22 Jan 2018, 14:42
Dave-ahfb Dave-ahfb is offline
 
Join Date: Apr 2002
I am having issues with the fulls size image going 404 while the thumbnail works fine.

An example may be viewed at https://www.websleuths.com/forums/sh...mage-not-found

-or-



Of course the thumbnail calls the image as an attachment, the 404'd full size image is called from
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

My plugin is active using hook bbcode_img_match and is 5th in execution, the plugin code is

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Any ideas?
__________________
ahfb2000.com - HTML - Web Hosting Directory - Webmaster Tools - Webmaster Books
Domain Names - PHP Scripts - Over 4000 5000 6000 ... 13,000 member strong Webmaster Forums
Reply With Quote
  #69  
Old 22 Jan 2018, 16:00
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
[www.websleuths.com] should be changed to www.websleuths.com in the hook PHP code.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #70  
Old 22 Jan 2018, 16:08
Dave-ahfb Dave-ahfb is offline
 
Join Date: Apr 2002
Thank you.
__________________
ahfb2000.com - HTML - Web Hosting Directory - Webmaster Tools - Webmaster Books
Domain Names - PHP Scripts - Over 4000 5000 6000 ... 13,000 member strong Webmaster Forums
Reply With Quote
  #71  
Old 01 Mar 2018, 07:02
final kaoss final kaoss is offline
 
Join Date: Apr 2006
Thanks, I've added it to my new article which helps to prevent mixed content issues.
https://www.vbulletin.org/forum/showthread.php?t=326118
Reply With Quote
  #72  
Old 14 May 2018, 23:54
therother therother is offline
 
Join Date: Oct 2006
I've been using bridge2heyday's plugin with this mod. It seems to work great for most things. But I've been noticing a significant slow down on older threads where the images are now longer available, on either http or https. So particularly image heavy threads can take upwards of ten minutes to load.

I've been identifying image sites that can be autoupdated from http to https (eg imgur and imageshack), which has alleviated some of the issue, but is there a more robust solution?
Reply With Quote
  #73  
Old 03 Jul 2018, 10:28
rekha rekha is offline
 
Join Date: Jan 2012
nice mod
Reply With Quote
  #74  
Old 10 Oct 2018, 08:48
NeoDio NeoDio is offline
 
Join Date: Jan 2011
Originally Posted by hakkuo23 View Post
Here is a version that just displays the image, and doesn't save it, to save server space


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
I'm confused as to where this goes. It looks like it's supposed to replace the code inside the function getimg($url) but wouldn't that make it stop working since it's not using the curl_init($url) anymore? Also is that HeaderCallback function supposed to go inside the getimg function as well?
Reply With Quote
  #75  
Old 08 Aug 2019, 05:52
richTV richTV is offline
 
Join Date: Aug 2006
anyone try this on vB3 ?

I'm using vb3.8.7 Patch Level 2
__________________
currently using vB3.8.7
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 18:29.

Layout Options | Width: Wide Color: