How To Implement SSL To Secure HTTP Traffic (HTTPS)

[Paul B]

Brogan submitted a new resource:

How To Implement SSL To Secure HTTP Traffic (HTTPS) - Switch your forum to HTTPS

This guide should hopefully explain all of the steps required to switch an XF installation from using HTTP to HTTPS.
So for example, instead of the site URL being http://xenforo.com/community/ it will be https://xenforo.com/community/.


What is HTTPS?
Essentially, HTTPS is a secure version of HTTP and while it isn't necessarily required for forums, there is a general push towards that direction due to...

Read more about this resource...

 

[Paul B]

If anyone has anything useful to add, in the form of additional steps, details, links, guides, etc. let me know and I'll update the resource.

 

[Sunka]

Nice one Brogan.

Just one tip so people would not be confused like me 5 minutes ago. I am using NGINX with @eva2000 Centmin mod.

In phpinfo.php variable $_SERVER['HTTPS'] is set to OFF, but my forum and all on server is on https.

I also tried to add $_SERVER['HTTPS'] = 'on'; in my library/config.php file of XenForo forum, but still no luck.

I google for it and found this solution:

A typical Nginx setup uses fastcgi_pass directives to pass the request to the PHP-FPM daemon. If you would be running an Apache setup, Apache would automatically set the HTTPS server variable, that PHP code can check via $_SERVER['HTTPS'] to determine if the request is HTTP or HTTPs.

In fact, that's how most CMS's (WordPress, Drupal, ...) determine the server environment. They'll also use it for redirects from HTTP-to-HTTPs or vica versa, depending on the config. So the existence of the $_SERVER['HTTPS'] variable is pretty crucial.

Nginx doesn't pass the variable by default to the PHP-FPM daemon when you use fastcgi_pass, but it is easily added.

A basic example in Nginx looks like this.

include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

# Check if the PHP source file exists (prevents the cgi.fix_pathinfo=1 exploits)
if (-f $request_filename) {
    fastcgi_pass   backend_php; # This backend is defined elsewhere in your Nginx configs
}

The example above is a classic one, that just passes all to PHP. In order to make PHP-FPM aware of your HTTPs setup, you need to add a fastcgi_param environment variable to the config.

include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

# Make PHP-FPM aware that this vhost is HTTPs enabled
fastcgi_param  HTTPS 'on';

# Check if the PHP source file exists (prevents the cgi.fix_pathinfo=1 exploits)
if (-f $request_filename) {
    fastcgi_pass   backend_php; # This backend is defined elsewhere in your Nginx configs
}

The solution is in the fastcgi_param HTTPS 'on'; line, which passes the HTTPS variable to the PHP-FPM daemon.

@eva2000 said to me:

But that is already done in Centmin Mod Nginx / php-fpm via 2 variables in /usr/local/nginx/conf/php.conf

fastcgi_param  HTTPS              $https if_not_empty;

and

fastcgi_param HTTPS $server_https;

with nginx.conf include file

include /usr/local/nginx/conf/fastcgi_param_https_map.conf;

contents

# auto detect and enable fastcgi_param HTTPS $server_http
# for PHP behind SSL https

map $scheme $server_https {
        default off;
        https on;
}

And final words from @eva2000 that make clear my mind

it only shows as on in phpinfo if you access phpinfo url from https otherwise if you access via non-https it shows off

 

[Paul B]

Thanks @Sunka, that's useful information and why I didn't go into detail regarding server config, as it depends on the specific set up.

 

[silence]

Maybe mention the required ciphers for HTTP/2, since that can be confusing.

 

[Robust]

For HTTP->HTTPS redirects with nginx you should set up a new virtual host. You can add this to your existing config for your server virtual host:

server {
            listen 80;
            server_name example.com www.example.com;
            return 301 https://www.example.com$request_uri;
}

To set up your HTTPS nginx server, you want to add this to your server block:

ssl on;
ssl_certificate /path/to/certificate-bundle.crt;
ssl_certificate_key /path/to/certificate-key.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;

# Optionally, if your certificate supports stapling, you can include the next 4 lines.

resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/certificate-bundle.crt;

You can find a list of ciphers here: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 - I've used the intermediate ones by default, and recommend those.

You should edit the paths to suit your config.

Change the listen to:

listen 443 ssl http2;

If you want a HTTPS -> HTTPS non-www to www redirect, as well:

server {
        listen 443 ssl http2;
        server_name example.com;

        access_log off;
        log_not_found off;

        ssl_certificate /path/to/certificate-bundle.crt;
        ssl_certificate_key /path/to/certificate-key.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
        return 301 https://www.example.com$request_uri;
}

I guess this is server-side config, so it may be useful optionally for anyone that browses the thread and needs further assistance with a nginx setup.

Disclaimer: This does not constitute a setup for nginx with XenForo, only a generic configuration of SSL with a nginx virtual host. This is not a replacement for tailored advice by a qualified sysadmin.

 

[Paul B]

As the guide evolves, I'll add updates with more specific, detailed content regarding installing certs, implementing redirects, etc.

 

[OakleyForum]

Know a few years ago when this was first becoming popular most people saw a significant drop in adsense revenue - is this still true or have most advertisers switched over to https?

 

[BoostN]

Know a few years ago when this was first becoming popular most people saw a significant drop in adsense revenue - is this still true or have most advertisers switched over to https?

Bump on this.

I remember seeing this myself. Is this still the case?

 

[StarArmy]

Know a few years ago when this was first becoming popular most people saw a significant drop in adsense revenue - is this still true or have most advertisers switched over to https?

Word on the street is that this has vastly improved to the point of no longer having a measurable impact.

 

[OakleyForum]

Any tips on implementing with a CDN?

 

[Robust]

Any tips on implementing with a CDN?

What CDN are you using? How have you set up your CDN with XenForo? Is your CDN currently serving under http?

 

[OakleyForum]

KeyCDN, it's currently serving under http like the rest of my site, will be implementing SSL shortly.

 

[Ranger375]

I've made it to the Image Proxy step, but am unsure what I should add in the "Image and Link Proxy Secret Key,"box in the admin cp. Where would I find this information? I checked the linked Kier tutorial but I didn't see it as option in the 1.3 tutorial.

 

[Paul B]

Just make up a random string.

 

[Ranger375]

I'm not sure what is wrong. I installed the certs and went through the steps outlined in the tutorial, but am still getting the mixed content warning in the browser. Any idea what might be wrong?

 

[Paul B]

Use the browser inspector to check which elements on the page are insecure/being served over HTTP.

 

[Ranger375]

Use the browser inspector to check which elements on the page are insecure/being served over HTTP.

So I looked through that and couldn't find any images, only hyperlinks. On my home page and every thread I get the error, but I don't in profiles or new posts. I ran the inspector over the pages and even tried turning off all addons without any success...

Edit: Solved from this thread: https://xenforo.com/community/threads/mixed-content-https-problem.125308/

 

[eva2000]

As there are many Centmin Mod LEMP stack users using Xenforo here, I also added an official Centmin Mod guide for fresh Centmin Mod Nginx HTTP/2 based HTTPS vhost site creation with free Letsencrypt SSL certificates https://centminmod.com/letsencrypt-acmetool-https.html. This is an alternative to the guide for existing Centmin Mod Nginx HTTP uses wishing to migrate from HTTP to HTTPS at https://centminmod.com/migrating-to-https.html

 

[Robby]

Hi,

It works but when i go to domain.com and don't use https://www.domain.com is shows unsafe and warning mixed content.