Notes on Forum Setup with MyBB

This post is for putting down some random sites notes as I struggle through the process of setting up a forum hosted with MyBB.

mybb

Here is a very nice tutorial for running through the initial installation and setup,

In this tutorial, the necessary modules were installed and configured during the setup. We don’t have to follow this practice. A better way may be to configure all the necessary preparations beforehand, according to the MyBB doc.

nginx configuration

For the nginx configuration, the this gist is a minimal working example on my host to host the reverse proxy for both the MyBB and JupyterHub service.
- SSL setup
  
  We need to generate a key file and use that for generating an SSL certificate file. For most SSL certificate, we need to pay. In my case, I was using ORNL service located at here (which can only be accessed from within ORNL firewall).
LDAP authentication setup

To set up the LDAP authentication, we can use the MyBB LDAP Authentication plugin [1]. The setup within MyBB admin control panel can be found here. It should be pointed out that,
- This is for configuring against the ORNL LDAP server. For other servers, the configuration should be as simple as replacing those inputs with information relevant to a other specific servers.
- The protocol version does matter – typically, if we set it to 2, it won’t work, at least in my case for the configuration against the ORNL LDAP server (for which we have to set it to 3).
- However, the LDAP Protocol Version setting in the admin control panel above does not seem to be working properly. As a temporary solution, I just hard coded the setting in the {MyBB_Main_Directory}/inc/plugins/ file, which is attached here (refer to line 728-734).
- Also, it seems that the Connection Confidentiality setting in the admin control panel is not working properly either. Again, temporarily, the setting was hard coded into the attached file above.
- The attached file here is a minimal working example of using LDAP in PHP.
- The LDAP configuration file can be found at /etc/ldap/ldap.conf,
```
  BASE    dc=xcams,dc=ornl,dc=gov
  URI     ldaps://ldapx.ornl.gov

  TLS_CACERT      /etc/ssl/certs/ldapserver.pem

  SSL start_tls
  SSL on
  TLS_REQCERT allow
```
- In the MyBB LDAP configuration page (see the link above for a screenshot of the page), if we choose the SSL connection, we should notice the notes above the selection drop-down menu which states that if we do want to use the SSL connection, we need to save the LDAP server’s certificate to the trusted store properly. To do this, we need to,
  - First, obtain the certificate from the LDAP server
    
    To do this, we can use the following command,
    openssl s_client -showcerts -connect ldapx.ornl.gov:636 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.crt
    where ldapx.ornl.gov is the ORNL LDAP server in my case. This will save the LDAP server’s certificate to the local file named with ldapserver.crt. In practice, we could have multiple certificates in the same certificate file which gives the so-called PEM (i.e., Privacy Enhanced Mail) format.
  - Add the obtained certificate to the trusted store on the client side
    
    To add the certificate to the trusted store on the client side, we can do the following steps,
    - sudo cp /path/to/certificate.crt /usr/local/share/ca-certificates/certificate.crt
    - sudo update-ca-certificates
    Attention that we should replace /path/to/certificate.crt to whatever specific to our case.
Announcement Templates

There is a plugin for posting announcements on MyBB forum, at the top of the index landing page, and the official web site is Ref. [2]. With the plugin successfully installed, one can follow the route down below to edit the announcements for different groups of users.

AdminCP -> Templates & Style -> Templates -> Default Templates -> DNT Announcements Templates
Sometimes when installing some plugins, the installation may fail due to some internal errors. To make the error message printout more useful, we can change the level of error logging following the route below,

Configurations -> Settings -> Server and Optimization Options -> Error Logging Medium -> Log errors
Secure connection

Specifically concerning the secure connection requirement by ORNL, on top of the setting up of the SSL certificate to enable HTTPS connection, we also need to pass the security scanning. During the configuration process, we did come across multiple issues concerning the secure connection such as the HTST requirement was not met, the certificate being used not trusted, etc. The following link is my private (which is only visible to myself, if you do want to see it, please get in touch with Yuanpeng Zhang at zhangy3@ornl.gov) notes following the link below,

https://www.notion.so/iris2020/SSL-SMTP-Setup-37e94c2e004a40d7b2d16cf7d29515b5?pvs=4

The note is just a random collection of issues and the solutions, so it is not presented in an organized manner.

Domain name configuration

If we want to configure the MyBB forum to stay under a certian directory rather then the root directory, there are two aspects we need to configure as detailed here. For example, by default we have MyBB configured to be hosted at ‘https://my.domain.com’ and we want to change it to be hosted at ‘https://my.domain.com/forum’. To do this, first we need to change the nginx configuration, assuming we are using nginx for the reverse proxy and web host. The following snippet should be good to go in the server section,

  server {
      listen 80;
      server_name powder.ornl.gov;
      return 302 https://powder.ornl.gov/forum$request_uri;
  }

  server {
      large_client_header_buffers 4 16k;
      listen 443;

      ssl on;
      ssl_certificate     /home/cloud/Dev/SSL/powder.pem;
      ssl_certificate_key         /home/cloud/Dev/SSL/powder.key;

      server_name powder.ornl.gov;

      # root /usr/share/nginx/html;
      root /var/www/html;
      index index.html

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      add_header Strict-Transport-Security max-age=31536000;

      location /forum {
          index index.php index.html index.htm index.nginx-debian.html;
      }

      location /hub/ {
          proxy_pass http://127.0.0.1:8000;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # websocket headers
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
          proxy_set_header X-Scheme $scheme;

          proxy_buffering off;
      }

      location ~ \.php$ {
          include snippets/fastcgi-php.conf;
          fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
      }

      location ~ /\.ht {
          deny all;
      }

      # Managing requests to verify letsencrypt host
      location ~ /.well-known {
          allow all;
      }
  }

Then we need to change the settings in MyBB to adapt to the directory change. To do this, we need to go to the location where all the MyBB files are stored (e.g., /var/www/html/forum). Then we need to change the settings according to our specific domain name and directory name where we want to host the forum,

  ./inc/settings.php:$settings['bburl'] = "https://powder.ornl.gov/forum";
  ./inc/settings.php:$settings['cookiedomain'] = ".powder.ornl.gov";
  ./inc/settings.php:$settings['homeurl'] = "https://powder.ornl.gov/forum";

The settings in MyBB should be consistent with that in nignx considering the domain name and the directory, as is the case in the example above.

References

[1] https://community.mybb.com/mods.php?action=view&pid=1043

[2] https://community.mybb.com/mods.php?action=view&pid=659