How To Implement SSL To Secure HTTP Traffic (HTTPS)

How To Implement SSL To Secure HTTP Traffic (HTTPS)

I'm having a hard time here:

1. Using Let's Encrypt SSL
2. Updated config to add
Code:
$_SERVER['HTTPS'] = 'on';
3. Added to beginning of .htaccess

Code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /index.php?threads/$1/ [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

4. Updated board URL and homepage URL in admin options to https://www.talkjesus.com
5. Tried both enabled and disabled Image and Link Proxy option in admin.

Problem is https://www.talkjesus.com/ shows insecure page elements when viewing as guest. If logged in, it shows secured but "firefox has blocked parts of this page that are not secure" and icons do show fine.

The font awesome icons are the broken ones.

Admin access is secured 100% otherwise. Would appreciate help on fix this.
 
Problem is https://www.talkjesus.com/ shows insecure page elements when viewing as guest.
It shows as secure to me as a guest.

This has been blocked though:
Code:
Mixed Content: The page at 'https://www.talkjesus.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://code.ionicframework.com/ionicons/2.0.1/css/ionicons.min.css'. This request has been blocked; the content must be served over HTTPS.
 
Thanks for the great guide, this afternoon I used it to move my site to https and it was easy to do with this. :)

BTW it looks like Liveleak have now gone https, so you may want to amend the description if that is indeed the case.
 
The browser inspector.

Press F12 then select the Console tab.

There is still one more resource being loaded over HTTP.

Ok I see this in the console

Code:
Load denied by X-Frame-Options: https://accounts.google.com/o/oauth2/auth?client_id=324060983727-t765ga725kl0mpc86vrsbuuc2a8qnvak.apps.googleusercontent.com&response_type=code%20token%20id_token%20gsession&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.login%20email&access_type=offline&request_visible_actions=http%3A%2F%2Fschemas.google.com%2FAddActivity&cookie_policy=single_host_origin&prompt=none&hl=en-US&include_granted_scopes=true&proxy=oauth2relay330759805&redirect_uri=postmessage&origin=http%3A%2F%2Fwww.talkjesus.com&gsiwebsdk=1&state=558754009%7C0.4287214148&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en_US.zJys6HNA490.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPquw-sFZIczm1s9rm-hSAHABebBQ does not permit cross-origin framing.

I don't see anything else set as http?

On a side note, I'd like to force enable https, redirected from http. How can this be done? I thought that was already done based on the htaccess snippet but apparently I can still go to http without being redirected to https protocol.

PS: I'm also using Cloudflare via CNAME (not their nameservers).
 
Last edited:
Hey Brogan,

Please see attached. Cleared FF cache entirely and restarted. Same error as guest, and partial error as logged in user.

Regarding the CSS:
http://code.ionicframework.com/ionicons/2.0.1/css/ionicons.min.css

How did you find that it was the specific culprit? What tool did you use? Thanks for the find as well, updated it and that fixed the partial error when logged in.

View attachment 147197

View attachment 147198

You need to redirect www and the non www version of your site to https.
 
It's already set in cPanel > Redirects and the htaccess file.

Code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /index.php?threads/$1/ [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
It's already set in cPanel > Redirects and the htaccess file.

Code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /index.php?threads/$1/ [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Use this tool to see if your forum is properly configured:

https://www.linksspy.com/seo-tools/free-seo-ssl-scan/new
 
Might want to double check your style info. This solved my issue and I was racking my brain trying to figure it out:
https://xenforo.com/community/threads/mixed-content-https-problem.125308/

Checked that, all good there.

Here's what I noticed below (I still prefer any non https direct access be redirected to https automatically, site wide which I'm asking for help on here and haven't gotten a solution).

If I go directly to talkjesus.com (without "https" protocol) in Edge browser, I get no error (attached pic).

edge.webp

In Firefox, I get this error. Is this just a new Firefox warning for non https page(s)? Never seen this before prior. Running FF 51.

firefox.webp
 
Rewrite rules are in the FAQ - points 19 and 20: https://xenforo.com/community/threads/frequently-asked-questions.5183/#post-180456

That's server related though, not really anything to do with XF.

I've already implemented this (I mentioned this two times in this thread).

Code:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /index.php?threads/$1/ [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If I move the last 2 lines up to below RewriteEngine On, I get 404's.
 
Top Bottom