- Joined
- May 18, 2013
- Messages
- 852
- Reaction score
- 323
Hey guys!
So, this is going to be a simple, yet also advanced tutorial for improving the backend security of your self-hosted WarZ Server. So, as a recap, WarZ works something a little like this:
The WarZ Launcher, client, and server uses Chilkat for HTTP & HTTPS Requests. These requests hit the API on the server hosting your WarZ instance. The API consists of PHP & ASP.NET. The API then makes requests to the MSSQL Server to update any stored information.
This tutorial will be specifically on how to improve, but not perfect the security and protocols used for the backend and API. A lot of the "veterans" on here will be laughing, because it really is a no-brainer, however after digging through even some more recent source codes, I'm finding that people are still using outdated API stuff.
I'm personally using a copy of the source code from early 2013, before the group system was implemented, so your mileage may vary depending on source codes. This assumes you already have a WarZ Server setup for 5.3.28. If not, the process is still the same. You'll still need to install PHP manager for IIS, as well as enabling fastCGI, and adding the correct MIME types.
First, we're going to go into updating PHP. The version of PHP *most* people are using for their WarZ servers is PHP 5.3.28. Php 5.3.X in general went EOL (end of life) in 2014, with the release of PHP 5.3.29. The newest version out is currently 8.2.12, I personally found that none of the language used in the PHP files for WarZ was deprecated going to 8.2.12, which is very lucky.
With Microsoft pulling the plug on the Web Platform Installer, it's slightly more difficult to get PHP installed, but it's not bad at all. Start with downloading PHP for windows:
Next, you'll need to both register, and change the current version of PHP.
![1699473072317 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums](data:image/svg+xml;charset=utf-8,%3Csvg xmlns%3D'http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg' width='1372' height='722' viewBox%3D'0 0 1372 722'%2F%3E "1699473072317 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums")
Next, you'll need to download and enable the correct PHP to MSSQL extension. -
You can now select the "enable or disable an extension" within PHP manager. Since I did the "NTS" version of PHP, I used the NTS version of the extension:
![1699473303229 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums](data:image/svg+xml;charset=utf-8,%3Csvg xmlns%3D'http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg' width='2316' height='655' viewBox%3D'0 0 2316 655'%2F%3E "1699473303229 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums")
I then rebooted the Web Site within IIS, as well as moving the previous PHP 5.3 folder to verify it was indeed running on PHP 8.2.12. If you set everything up correctly, you should be able to click "check phpinfo" on IIS manager, and see the following information:
![1699473427212 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums](data:image/svg+xml;charset=utf-8,%3Csvg xmlns%3D'http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg' width='939' height='101' viewBox%3D'0 0 939 101'%2F%3E "1699473427212 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums")
![1699473471848 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums](data:image/svg+xml;charset=utf-8,%3Csvg xmlns%3D'http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg' width='981' height='605' viewBox%3D'0 0 981 605'%2F%3E "1699473471848 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums")
Now, try logging into your WarZ Client, and make sure that everything is working as intended, as well as checking the supervisor server logs to make sure loot is still spawning.
Now, for Chilkat. This is way, way, way more important than people think. It appears that the version of Chilkat shipped with most WarZ Source codes do NOT support TLS. It DOES support SSL, but I was unable to get TLS working.
You'll want to download the latest version of chilkat c++ from their site. They include a 30 day trial, although I'm currently unsure how the license is enforced, and as far as I can tell, you can probably just change the license and recompile every month:
Next, backup the current version of chilkat that you're running. I usually just rename it to ChilkatOLD. The directory is usually: C:\WarZ\src\External
![1699473786800 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums](data:image/svg+xml;charset=utf-8,%3Csvg xmlns%3D'http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg' width='515' height='43' viewBox%3D'0 0 515 43'%2F%3E "1699473786800 - [Tutorial] Improving Backend / API Security (Part 1?) - RaGEZONE Forums")
Obviously extract the new Chilkat library into a folder called "Chilkat" (lol)
Some things are deprecated to the new version of chilkat, although I haven't had any issues with just commenting out the lines in RSUpdate.sln
to:
Now, in RSUpdate.sln, WarZ.sln, and WarZ_Server.sln, you'll want to change the Chilkat Arktos license to something else, example:
to something like:
Now, obviously if you're going through the work to do this, you'll want to enable SSL / HTTPS for everything. This involves changing all the URLS to https, enabling SSL where it's called for, and changing from port 80 to port 443 in the source code. You'll need to setup an SSL Cert on IIS on the WarZ Server, or alternatively, you could use something like CloudFlares DNS, which will automatically give you an SSL certificate, and you can do cool things like enabling TLS 1.3 and enabling it as the mimimum version. I wont show how to do this, because it's been plenty documented elsewhere, I'm sure it'll look familiar:
I also *highly* recommend updating your version of Windows Server, and MSSQL. I'm currently running Windows Server 2022, as well as MSSQL 2022 Express. Most people here are running MSSQL 2012, or MSSQL 2016. MSSQL 2012 hit EOL in 2022, and 2016 hits EOL in 2024. I just updated because it adds to peace of mind, and offers better features and performance.
Some other tips would be to block port 80 for your warz server, and force all traffic through port 443. The next thing is to upgrade the version of ASP.NET used for the API, although I do not believe this is *totally* necessary.
So, this is going to be a simple, yet also advanced tutorial for improving the backend security of your self-hosted WarZ Server. So, as a recap, WarZ works something a little like this:
The WarZ Launcher, client, and server uses Chilkat for HTTP & HTTPS Requests. These requests hit the API on the server hosting your WarZ instance. The API consists of PHP & ASP.NET. The API then makes requests to the MSSQL Server to update any stored information.
This tutorial will be specifically on how to improve, but not perfect the security and protocols used for the backend and API. A lot of the "veterans" on here will be laughing, because it really is a no-brainer, however after digging through even some more recent source codes, I'm finding that people are still using outdated API stuff.
I'm personally using a copy of the source code from early 2013, before the group system was implemented, so your mileage may vary depending on source codes. This assumes you already have a WarZ Server setup for 5.3.28. If not, the process is still the same. You'll still need to install PHP manager for IIS, as well as enabling fastCGI, and adding the correct MIME types.
First, we're going to go into updating PHP. The version of PHP *most* people are using for their WarZ servers is PHP 5.3.28. Php 5.3.X in general went EOL (end of life) in 2014, with the release of PHP 5.3.29. The newest version out is currently 8.2.12, I personally found that none of the language used in the PHP files for WarZ was deprecated going to 8.2.12, which is very lucky.
With Microsoft pulling the plug on the Web Platform Installer, it's slightly more difficult to get PHP installed, but it's not bad at all. Start with downloading PHP for windows:
You must be registered to see links
. I did the "NTS" (non-thread safe) but you can choose your preference. To match a similar environment setup as my old PHP 5.3.28, i went ahead and extracted the files into: C:\Program Files (x86)\PHP\v8.2Next, you'll need to both register, and change the current version of PHP.
Next, you'll need to download and enable the correct PHP to MSSQL extension. -
You must be registered to see links
, I extracted the files into the "ext" folder within the PHP directory.You can now select the "enable or disable an extension" within PHP manager. Since I did the "NTS" version of PHP, I used the NTS version of the extension:
I then rebooted the Web Site within IIS, as well as moving the previous PHP 5.3 folder to verify it was indeed running on PHP 8.2.12. If you set everything up correctly, you should be able to click "check phpinfo" on IIS manager, and see the following information:
Now, try logging into your WarZ Client, and make sure that everything is working as intended, as well as checking the supervisor server logs to make sure loot is still spawning.
Now, for Chilkat. This is way, way, way more important than people think. It appears that the version of Chilkat shipped with most WarZ Source codes do NOT support TLS. It DOES support SSL, but I was unable to get TLS working.
You'll want to download the latest version of chilkat c++ from their site. They include a 30 day trial, although I'm currently unsure how the license is enforced, and as far as I can tell, you can probably just change the license and recompile every month:
You must be registered to see links
Next, backup the current version of chilkat that you're running. I usually just rename it to ChilkatOLD. The directory is usually: C:\WarZ\src\External
Obviously extract the new Chilkat library into a folder called "Chilkat" (lol)
Some things are deprecated to the new version of chilkat, although I haven't had any issues with just commenting out the lines in RSUpdate.sln
C++:
http_.put_UseBgThread(false);
http_.put_KeepEventLog(false);to:
C++:
//http_.put_UseBgThread(false); //deprecated / changed with newer Chilkat
//http_.put_KeepEventLog(false); //deprecated / changed with newer ChilkatNow, in RSUpdate.sln, WarZ.sln, and WarZ_Server.sln, you'll want to change the Chilkat Arktos license to something else, example:
C++:
success = http.UnlockComponent("ARKTOSHttp_decCLPWFQXmU");to something like:
C++:
success = http.UnlockComponent("RageZoneTutorial"); //ARKTOSHttp_decCLPWFQXmU old chilkat licenseNow, obviously if you're going through the work to do this, you'll want to enable SSL / HTTPS for everything. This involves changing all the URLS to https, enabling SSL where it's called for, and changing from port 80 to port 443 in the source code. You'll need to setup an SSL Cert on IIS on the WarZ Server, or alternatively, you could use something like CloudFlares DNS, which will automatically give you an SSL certificate, and you can do cool things like enabling TLS 1.3 and enabling it as the mimimum version. I wont show how to do this, because it's been plenty documented elsewhere, I'm sure it'll look familiar:
C++:
const char* gDomainIP = "xxxxxxxxxxxxxxxxx";
const char* gDomainBaseUrl= "/api/";
int gDomainPort = 443;
bool gDomainUseSSL = true;I also *highly* recommend updating your version of Windows Server, and MSSQL. I'm currently running Windows Server 2022, as well as MSSQL 2022 Express. Most people here are running MSSQL 2012, or MSSQL 2016. MSSQL 2012 hit EOL in 2022, and 2016 hits EOL in 2024. I just updated because it adds to peace of mind, and offers better features and performance.
Some other tips would be to block port 80 for your warz server, and force all traffic through port 443. The next thing is to upgrade the version of ASP.NET used for the API, although I do not believe this is *totally* necessary.
Last edited:
