• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
How To Implement SSL To Secure HTTP Traffic (HTTPS)

How To Implement SSL To Secure HTTP Traffic (HTTPS)

craigiri

Well-known member
#63
Going to soon move my WP/XF site to https.

Here is my question - I already did one of my other WP sites and it was really each because there are two plug-ins for WP that do all the work.

But my main site has WP as the main blog - and the Xenforo as the forums under a "talk" directory.

So my question concerns the .htaccess instructions, etc. in this guide...since it is likely the WP plug-in modify the (root directory) htaccess file already.

Can I put the Xenforo Apache directives into the /talk access file? Or should I add them to the main root directory htaccess in addition to those put there by the WP plug ins?

Again, the site layout is WP in the root - with XF all installed under /talk.

Thanks for any answers in advance. I am confident of buying the SSL, installing it and doing the WP part of it....but I don't want to screw up the forum too bad....
 
#64
Thanks for this guide @Brogan , I moved us over to https on Friday - https://www.onefootballforum.co.uk/index.php

Only issue we've had since then is some users are reporting that they are being automatically logged out on occasion since the switch.

Some have solved the issue by clearing their cache and updating their bookmarks to https - others are saying this hasn't fixed it (though I can't verify).

Any ideas? Or will this definitely be a end user issue with bookmarks/caching?

Thanks,
 

Martok

Well-known member
#66
Thanks for this guide @Brogan , I moved us over to https on Friday - https://www.onefootballforum.co.uk/index.php

Only issue we've had since then is some users are reporting that they are being automatically logged out on occasion since the switch.

Some have solved the issue by clearing their cache and updating their bookmarks to https - others are saying this hasn't fixed it (though I can't verify).

Any ideas? Or will this definitely be a end user issue with bookmarks/caching?

Thanks,
You haven't fully sorted out redirecting http to https. Whilst http://www.onefootballforum.co.uk goes to https://www.onefootballforum.co.uk/index.php, http://www.onefootballforum.co.uk/index.php does not redirect to the https version
 
#70
We have enabled full friendly URL's along with mod_rewrite and AllowOverride - i fear it's our .htaccess-- and setup with Sucuri firewall that's causing the issue.

Here's our .htaccess--

Code:
#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^onefootballforum.co.uk [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ https://www.onefootballforum.co.uk/$1 [L,R=301,NC]

#Sucuri firewall bypass prevention rules
<FilesMatch ".*">
    Order deny,allow
    Deny from all
    Allow from 192.88.134.0/23
    Allow from 185.93.228.0/22
    Allow from 2a02:fe80::/29
    Allow from 66.248.200.0/22
</FilesMatch>

#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /Xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^.*$ - [NC,L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

<ifModule mod_expires.c>
     ExpiresActive On
     ############################################
     ## Add default Expires header
     ## http://developer.yahoo.com/performance/rules.html#expires
     <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
     ExpiresDefault "access plus 1 year"
     </FilesMatch>
     </ifModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php54” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php54 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
Can anybody help to shed some light?
 
#71
To re-open the board to make it half operational, I've had to reverse the change and disable Full Friendly URLs for now as we've not been able to get .htaccess-- to play ball despite the best efforts gratefully received of M@rc. It's getting late here tonight but will look to tackle this again tomorrow- will to pay for anyone who can offer assistance.

Thanks!
 

MrC

Active member
#72
Hi Brogan,

Thank you very much for the guide. I have a problem when using this command:

UPDATE xf_post SET message = REPLACE(message,'http://xenforo.com/','https://xenforo.com/');

Not all the links are updated to https. Although, if I click Edit a post with http links, the links would show correctly as https. Do I have to flush cache or rebuild threads (I tried rebuilding threads, it did not work)?

Thank you :)
 

Chad

Active member
#74
I still have this issue where going to www.talkjesus.com does not automatically redirect to https://www.talkjesus.com despite following guidelines. I've tried so man variations of the .htaccess and still can't figure it out.

Current .htaccess

Code:
RewriteEngine On

RewriteCond %{HTTP_HOST} ^talkjesus.com[nc]
RewriteRule ^(.*)$ http://www.talkjesus.com/$1 [r=301,nc]

# Mod_security can interfere with uploading of content such as attachments. If you
# cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
# SecFilterEngine Off
# SecFilterScanPOST Off
#</IfModule>

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
## EXPIRES CACHING ##

Header unset Pragma
FileETag None
Header unset ETag

<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
RewriteEngine On

# If you are having problems with the rewrite rules, remove the "#" from the
# line that begins "RewriteBase" below. You will also have to change the path
# of the rewrite to reflect the path to your XenForo installation.
#RewriteBase /

# This line may be needed to enable WebDAV editing with PHP as a CGI.
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^.*$ - [NC,L]

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^.*$ index.php [NC,L]
</IfModule>

<Files 403.shtml>
order allow,deny
allow from all
</Files>
Board URL & Homepage URL both set to https://www.talkjesus.com in XF options.

"Use Full Friendly URLs" enabled.
 

Chad

Active member
#75
I still have access to http://www.talkjesus.com/ which doesn't redirect to the https version. That's bad for rankings because google would assume that it's duplicate content.

https://ahrefs.com/blog/ssl/
I really need help here. This is absolutely frustrating. I do not have this issue on a WP install on the very same server, but only with XF software. I disabled Cloudflare as well for now and cleared cache. Still, the issue is talkjesus.com or www.talkjesus.com does not automatically redirect to https://www.talkjesus.com like it should.

Top of my httaccess:

Code:
RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I also tried

Code:
RewriteCond %{HTTP_HOST} ^talkjesus.com[nc]
RewriteRule ^(.*)$ http://www.talkjesus.com/$1 [r=301,nc]
Also ran tests:
https://www.whynopadlock.com/check.php
All 81 items called securely!
Domain Name: www.talkjesus.com
URL Tested: https://www.talkjesus.com
Number of items downloaded on page: 81

Again, the issue is the redirects.