• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Full SSL Support?

#1
I'm interested in buying XenForo, but i'm unsure about the SSL support. I've read that many people had big problems with SSL and XenForo because it is loading much content from other sites (javascript and so on). I had the same problem with IPB so i had always only partially encrypted ssl. So is it possible to encrypt my whole board with SSL, without having a "partially encrypted" SSL-Connection? I don't want only the ACP or Login encrypted, it should be the whole board. Is this possible with XenForo? How can i do this? Only with htacces? Or is there a configuration for this in the ACP? Is there a documentation for this when i buy it?

And yes, i've read all the SSL threads here already. It doesn't answer my questions. All people are talking various things about the ssl support. I want to know this before i buy it.
 

Marcus

Well-known member
#4
But this is just a beta version, or not? I would like to use a stable version with SSL.
Yes, 1.1 is only beta, but development speed is fast here. If you currently have a forum it might be worth waiting for 1.1 gold as it most likely imports your vb3 / ipb user settings with the official importer.

There are unofficial importers for other forum software, but currently they work with 1.0.x They will be updated to 1.1 but we don't know when
 
#6
I'm just wondering why this is not possible? Is this so hard to not to use external connections? I would like to have a board that goes with SSL "out-of-the-box", without setting up htaccess.
 

Shamil

Well-known member
#7
Honestly, I don't think anyone has tried this in practise yet.

Most software doesn't work out of the box without htaccess or some other mechanism to maintain SSL. From what I've tried out locally, XenForo under SSL works.
 

Marcus

Well-known member
#9
Home > Options > + Add Option > Basic Board Information > Board URL

Here set something like ://domain.com without http from what I remember.
 

robdog

Well-known member
#10
You would have to look at the external scripts that are included on the site. They would have to be included through SSL. Other than that, nothing else would be a problem.
 
#12
You would have to look at the external scripts that are included on the site. They would have to be included through SSL. Other than that, nothing else would be a problem.
Is there a tutorial for this when i buy the xenforo software? Because i think the normal user like me doesn't know how to include external scripts through ssl ...
 

Anthony Parsons

Well-known member
#15
Xenforo works out of the box with https, as my site uses complete https. You do have to add a simple .htaccess command to force it, that is the only thing required.

I'm sure XF could incorporate that option in the ACP without much difficulty, to automatically force https or not.

Just add: (mine is installed in folder /c/ with nothing at root)

RewriteCond %{SERVER_PORT} !443
RewriteCond %{REQUEST_URI} c

The options are all there to not use external sources, which doesn't affect the validity of extended certificates, being what is used on my site.

So XF is fully compatible with extended https. I have run this from 1.0.2 and it does nothing to server load with 4000+ daily traffic on a single core hybrid, RAID 10, 3Gb RAM.

Here is the server load of the above stats, XF with extended validation https and about 20 odd mods installed, flashcoms chat, so forth:

Screen shot 2011-12-19 at 6.45.55 PM.png
 

SneakyDave

Well-known member
#18
I've been able to get SSL working pretty well with Apache, but nginx seems to be a little messed up.

Using the SSL URL to my forum, it displays my xenforo installation correctly, but all the page links are generated as http:// even though I have my Board URL set to "//myxenforo.com/community".

Not sure what the issue is, but I suspect it's a XenForo thing because my Wordpress installation links are generated correctly. I'm just using a self signed certificate at the moment, but I wouldn't think that would have anything to do with it.

Viewing the HTML source, with nginx, the baseref reverts to http://, while the apache served pages are https://. Could it be an APC cache thing if the templates are stored as files?
 

SneakyDave

Well-known member
#20
thanks, missed that. But it doesn't appear to have solved my problem. I'll struggle with this nginx configuration a little bit more.

That was the problem. Typos don't fail me now.