A few Pre-Purchase Questions

[Apodictive]

Hi xenForo community. I will be building my first xenForo forum and I have a few pre-purchase questions that I would like to see if I can get some answers for. I searched here and on Google for the answers to most of my questions but there are a couple I either couldn't find exactly what I am looking for as far as an answer or found conflicting or incomplete information.

To make it easier here are my questions by number:

1. Is there anything special that needs to be done to install and setup xenForo onto a domain/website that will be https (Comodo PositiveSSL)?

2. The whole site will be using xenForo and I am wanting to have some kind of home page with maybe some kind of widgets, articles or something else and have the forums under the "Forums" tab. So, when I buy my license, do I list the main domain (www.example.com) or (www.example.com/forums) on the license?

3. Are there any special install instructions to install xenForo given the URL specs given above in question #3?

4. Are extras like xenForo resource manager able to be bought later (a couple months maybe) and added to my license?

5. Does it matter if this is not the main domain but an addon domain in a shared hosting & cPanel setup?


I have other questions about doing this with/on xenForo but I think those can wait till after the purchase.

If some of these questions sound kind of like basic (or dumb ) information, it's just because I have never installed or setup xenForo before, only other scripts like WordPress, myBB, php scripts, etc., so xenForo is new as far as the installation, setup and so on. I have been a mod on several xenForo forums but never an admin/owner.

Thanks in advance for any good information and/or help.

 

[lol768]

Quick answers:

1. Is there anything special that needs to be done to install and setup xenForo onto a domain/website that will be https (Comodo PositiveSSL)?

Assuming you're happy setting up the TLS yourself (that is, installing the certificate and configuring the webserver) or your host will do it for you, it should just work (XenForo checks $_SERVER['HTTPS']). You'll probably want to enable the image proxy (prevent mixed content). Why not use Let's Encrypt though, a Comodo cert is a waste of money if it's just another DV cert?

2. The whole site will be using xenForo and I am wanting to have some kind of home page with maybe some kind of widgets, articles or something else and have the forums under the "Forums" tab. So, when I buy my license, do I list the main domain (www.example.com) or (www.example.com/forums) on the license?

Pretty sure licenses are by domain, Looks like it just wants a URL - so give it the full URL (with /forums). I doubt they'll mind anyway as long as you're not using the license in more than one public place - it'll probably be obvious where the XenForo installation is.

3. Are there any special install instructions to install xenForo given the URL specs given above in question #3?

This is a recursive question

But, you could probably just throw the entire files to upload in a separate subdirectory. This is what I have working locally.

4. Are extras like xenForo resource manager able to be bought later (a couple months maybe) and added to my license?

Yes, you can purchase extras later from the customer portal.

5. Does it matter if this is not the main domain but an addon domain in a shared hosting & cPanel setup?

It shouldn't, I'm guessing cPanel just sets up the vHosts/server blocks (if nginx) behind the scenes for you.

 

[Apodictive]

Quick answers:

Thanks for your help, I appreciate it and for you giving me some of your time to help with some answers.

I know some of this must sound basic but this is a first for me so I just want to get it right.

Assuming you're happy setting up the TLS yourself (that is, installing the certificate and configuring the webserver) or your host will do it for you, it should just work (XenForo checks $_SERVER['HTTPS']). You'll probably want to enable the image proxy (prevent mixed content). Why not use Let's Encrypt though, a Comodo cert is a waste of money if it's just another DV cert?

This can be done by my host, so it's not a problem there. As far as "Let's Encript", I have heard very little about them so I don't know what exactly they are in comparison to other SSL's. I saw that this is what CloudFlare uses for their free SSL, but that's about the extent of my knowledge of them.

I was wanting the SSL to get the slight SEO boost and to add one more thing that Google prefers. Some people see the green HTTPS icon in their browser window and think it means a lot more than it sometimes does.

Pretty sure licenses are by domain

, Looks like it just wants a URL - so give it the full URL (with /forums). I doubt they'll mind anyway as long as you're not using the license in more than one public place - it'll probably be obvious where the XenForo installation is.

This one I was seeing conflicting information on the web about whether or not xenForo wants the exact location where the forums are or if they just wanted the main domain name. I just wanted to get it right and comply with the exact requirements for the license. XF will be on the main www.example.com url on down the line (no-subdomains) with the main forums at /forums so I wasn't sure exactly what they wanted.

But, you could probably just throw the entire files to upload in a separate subdirectory. This is what I have working locally.

I thought about that but the main index page will be XF also. Probably a page that uses some kind of widgetized layout or something like that. I have seen some addons here for that which happened to catch my eye.

Yes, you can purchase extras later from the customer portal.

Great, thanks. I wasn't sure about how that worked, especially when it comes time to renew licenses that were purchased at different times. Thanks for the info.

It shouldn't, I'm guessing cPanel just sets up the vHosts/server blocks (if nginx) behind the scenes for you.

I was wanting to use my XF install on a domain that was an addon domain because it makes it a little easier for me to move the site later this way if I need to. The main domain will only be a few pages at most with my XF site being the main domain being utilized.


Thanks again for your time and help. I just want to try to avoid any future issues and since this is new to me I will need to learn many things. I appreciate your help.

 

[lol768]

I know some of this must sound basic but this is a first for me so I just want to get it right.

Completely understandable

This can be done by my host, so it's not a problem there. As far as "Let's Encript", I have heard very little about them so I don't know what exactly they are in comparison to other SSL's. I saw that this is what CloudFlare uses for their free SSL, but that's about the extent of my knowledge of them.

Let's Encrypt is a non-profit initiative to provide free DV SSL certificates to anyone who asks (and can prove they own the domain), with the end goal of trying to make encryption accessible to everyone. It's supported by Mozilla, the EFF and a few others and just as secure (if not more secure due to renewal process) than the paid alternatives. Well worth a look if you want to save some money on that front.

I was wanting the SSL to get the slight SEO boost and to add one more thing that Google prefers. Some people see the green HTTPS icon in their browser window and think it means a lot more than it sometimes does.

Keep in mind that you're allowing users to register and as the site owner, they'll be sending passwords to you. Given how rampant password reuse is, SSL/TLS is so much more important than just improving SEO.

I thought about that but the main index page will be XF also. Probably a page that uses some kind of widgetized layout or something like that. I have seen some addons here for that which happened to catch my eye.

I've seen that done with XenPorta, am guessing there are probably a few others that'll also do it. Sounds like a pretty nice approach for the main homepage, anyway .

Best of luck with the site, you'll find the support here is pretty good if you do have any further questions.

 

[Apodictive]

First off, Thank you for all your help and your time. I really appreciate the fact that you are helping to answer some of the questions that I have. If I can ever be of any help in return I will be more than happy to do so.

Let's Encrypt is a non-profit initiative to provide free DV SSL certificates to anyone who asks (and can prove they own the domain), with the end goal of trying to make encryption accessible to everyone. It's supported by Mozilla, the EFF and a few others and just as secure (if not more secure due to renewal process) than the paid alternatives. Well worth a look if you want to save some money on that front.

Great information, thanks. I'll go check into that in a few minutes and see what it's all about. Good information to have.

P.S. Will using a Let's Encrypt SSL still show the green HTTPS lock, even when using CloudFlare? I know they offer it too but I didn't know if that would affect it if you get the LE SSL outside of CloudFlare. Does it make a difference if you get it outside CF or not, or is it just better to use/get the SSL through CF?

Keep in mind that you're allowing users to register and as the site owner, they'll be sending passwords to you. Given how rampant password reuse is, SSL/TLS is so much more important than just improving SEO.

Yes, that was another thing that was in mind besides the SEO benefits. I want all my members to feel secure knowing that my forum is encrypted.

I've seen that done with XenPorta, am guessing there are probably a few others that'll also do it. Sounds like a pretty nice approach for the main homepage, anyway .

Yeah, that's one that I have been looking at. I have been looking at some other XF forums with something like what I am looking for in the showcase section here and from a few others I have found on the web to get ideas as to what I am looking for. I have some ideas for the main index page but still checking some other XF sites to see if there is anything that jumps out at me.

Best of luck with the site, you'll find the support here is pretty good if you do have any further questions.

Thank you, for everything. I have heard that the support is the best, and that's one thing that has factored into my decision to buy XF to use on my forum.

 

[lol768]

P.S. Will using a Let's Encrypt SSL still show the green HTTPS lock, even when using CloudFlare? I know they offer it too but I didn't know if that would affect it if you get the LE SSL outside of CloudFlare. Does it make a difference if you get it outside CF or not, or is it just better to use/get the SSL through CF?

If you're going to use CloudFlare, they basically act as a man in the middle so you'll probably do both - use CloudFlare's TLS and also set up your own using Let's Encrypt. They offer two SSL/TLS modes, "full" and "flexible". Here's a quick diagram:



What you'll usually end up doing is setting up SSL/TLS as normal on your webserver (perhaps using Let's Encrypt or another certificate authority) and then using CloudFlare's "full" SSL option. It's named as such because both visitor-CF and CF-webserver is encrypted. This is the best practice approach and means that your site will still be accessible securely even if you move away from CloudFlare in the future. CloudFlare can then also verify the certificate is valid itself. The "flexible SSL" approach doesn't require you to set up HTTPS at all on your webserver and only the Visitor-CF connection is encrypted. This isn't great , it's misleading to visitors and you need to trust that there's nothing between your webserver and CloudFlare that would intercept traffic.

There's another approach you can use not documented above: CloudFlare can issue you a certificate themselves that *they* trust, but this won't work in a browser if you ever decide to move away from CloudFlare in the future.

To answer the question, yes - a Let's Encrypt cert is still trusted by the browser and you'll get a green lock:

 

[Apodictive]

If you're going to use CloudFlare, they basically act as a man in the middle so you'll probably do both - use CloudFlare's TLS and also set up your own using Let's Encrypt. They offer two SSL/TLS modes, "full" and "flexible". Here's a quick diagram:



What you'll usually end up doing is setting up SSL/TLS as normal on your webserver (perhaps using Let's Encrypt or another certificate authority) and then using CloudFlare's "full" SSL option. It's named as such because both visitor-CF and CF-webserver is encrypted. This is the best practice approach and means that your site will still be accessible securely even if you move away from CloudFlare in the future. CloudFlare can then also verify the certificate is valid itself. The "flexible SSL" approach doesn't require you to set up HTTPS at all on your webserver and only the Visitor-CF connection is encrypted. This isn't great , it's misleading to visitors and you need to trust that there's nothing between your webserver and CloudFlare that would intercept traffic.

There's another approach you can use not documented above: CloudFlare can issue you a certificate themselves that *they* trust, but this won't work in a browser if you ever decide to move away from CloudFlare in the future.

To answer the question, yes - a Let's Encrypt cert is still trusted by the browser and you'll get a green lock:

Thank you so much for going way out of your way to help me and to give such detailed and informative replies, I really appreciate all you have helped me with. I know some things seem basic, but till I learn more I'll probably have more of these kinds of informational needs.

As for the I have only had a couple of sites (both WP) with SSL's and I only knew a little about them, and nothing about how CF does things, so this helps me understand this other way of doing things.

I've also only been a mod/staff member of XF sites and never had anything to do with the setup/installation/configuration so I am having to learn lots of this on the fly. I have learned a lot from you and by reading lots and lots of threads here. Still lots of learning to go but I am getting there.

I bought my XF license late last night/very early this morning so now I just have to go and start getting everything all setup.

Thanks again for everything and if I can ever help you in any way, i'd be happy to do so.