How To Implement SSL To Secure HTTP Traffic (HTTPS)

[Donny]

I'm setting up all new sites as https but am worried about established older sites. What has changing your forums over to https done with regards to your adsense? perhaps most recently @CyclingTribe ?

 

[CTXMedia]

I'm setting up all new sites as https but am worried about established older sites. What has changing your forums over to https done with regards to your adsense? perhaps most recently @CyclingTribe ?

Nothing dramatic - thankfully. It's not easy to tell as this is our slowest time of year for revenue, so a slight dip may or may not be associated with the switch, but certainly not enough to cause any major concern - especially considering our site is being completely reindexed.

The reindexing began very quickly and we seem to have retained our backlinks in Google Search Console, which is good. I've also modified all the redirects from various other domains that I had pointing at CycleChat and additionally forced the primary (non-www) domain to redirect to www so that everything now 301 redirects to https://www.cyclechat.net/ - which has tidied things up quite a bit.

I must admit to having some reservations myself, especially with regards to revenue, but everything seems to have gone pretty smoothly.

 

[Betclever]

Firstly, thanks Brogan for this tuto. Very useful!

I have an issue since I moved to HTTPS...

https://gyazo.com/b97c99f8939c33110ad7ddc721bcd2fd

I don't see the padlock but it is normal because of the link which is not correct.
In fact, it must be https://bet-clever.com/forum/nhl.26/ (or something with a thread) instead of https://bet-clever.comsujet/

I have this issue with a lof of old links.

Here is my .htaccess rules:

RewriteEngine On

RewriteCond %{HTTP_HOST} www.bet-clever.com$
RewriteRule ^(.*)$ https://bet-clever.com$1 [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Anyway, the rest is ok, everything is fine but I would like to solve those 2 issues...

What's wrong please?

Thanks.

 

[Donny]

That's bad for rankings because google would assume that it's duplicate content.

https://ahrefs.com/blog/ssl/

Nothing dramatic - thankfully. It's not easy to tell as this is our slowest time of year for revenue, so a slight dip may or may not be associated with the switch, but certainly no enough to cause any major concern - especially considering our site is being completely reindexed.

The reindexing began very quickly and we seem to have retained our backlinks in Google Search Console, which is good. I've also modified all the redirects from various other domains that I had pointing at CycleChat and additionally forced the primary (non-www) domain to redirect to www so that everything now 301 redirects to https://www.cyclechat.net/ - which has tidied things up quite a bit.

I must admit to having some reservations myself, especially with regards to revenue, but everything seems to have gone pretty smoothly.

That's exactly what I needed to hear. I'm assuming most advertisers that are selling something I assume have HTTPS thesmelves anyway. Some of my sites have quite a lot of advertisers advertising services though (so no online store, just contact info and online price lists etc) so I'm wondering if their non-HTTPS sites would affect my CPC much. I'd hope Google would appreciate my efforts and sort me out with some blue-chip replacements and double my CPC ha (he wishes).

 

[Bonsai Coder]

...and if you are getting security errors (incomplete encryption) in your address bar, you can locate the offending part of your site by using Firefox, go into Tools/Web Developer/Web Console, and hit F5 to reload your page. Any SSL errors will show up in red in the Web Console.

 

[Martok]

...and if you are getting security errors (incomplete encryption) in your address bar, you can locate the offending part of your site by using Firefox, go into Tools/Web Developer/Web Console, and hit F5 to reload your page. Any SSL errors will show up in red in the Web Console.

In fact you can use any of the major browsers to do this.

http://webmasters.stackexchange.com...-the-javascript-console-in-different-browsers

 

[Betclever]

Thanks guys!

I finaly solved the issues, it was some hard coded links (images)...

 

[Live Free]

I make the upgrade to SSL last night. It was a longer night than I anticipated . I still need to update some of peripherals in this guide, but I am experiencing two major issues I was hoping someone might be able to help shed some light on.

• Broken navigation on mobile (vertical view not horizontal)

Normally I'd dig in an Inspect Element/View Console but I don't know how to examine the issues on a mobile device.

• One user reported being unable to post via Safari

I tested Safari on my machine and was able to post, as one another member.

Any suggestions on what to look into?

 

[Paul B]

The layout issues won't have anything to do with switching to https.

For the posting issue, if it only affects one member, it's going to be something local to them such as browser caching.

 

[Live Free]

The layout issues won't have anything to do with switching to https.

For the posting issue, if it only affects one member, it's going to be something local to them such as browser caching.

The layout issue wasn't there yesterday before the https switch. :/

I'll try to gather additional information on Safari, see if anyone else reports it.

Edit: Safari is broken on my mobile browser also. Post buttons there but no field.





Edit: @Brogan both the design and Safari issues seemed to relate to cache/cookies that references http, after getting the users to clear them the issues were resolved.

I do have a couple other questions if you don't mind.

 

[Chris Goldsmith]

This article on page 1 gave me exactly the items I needed to resolve mixed content errors in the browser. I already had the Apache items done and needed the xenforo specific items

 

[ASap]

I have the following rewrite rule:

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteRule t([\d]+)-([\d]+)/ showthread.php?t=$1&page=$2 [NC,L]
RewriteRule t([\d]+)/ showthread.php?t=$1 [NC,L]
RewriteRule f([\d]+)-([\d]+)/ forumdisplay.php?f=$1&page=$2 [NC,L]
RewriteRule f([\d]+)/ forumdisplay.php?f=$1 [NC,L]

RewriteRule ^home/(.*)$ index.php$1 [R=301,L]
RewriteRule ^tags.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^blog.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^forum.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^entry.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^usercp.php(.*)$ account/$1 [R=301,L]
RewriteRule ^group.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^showgroups.php(.*)$ online/$1 [R=301,L]
RewriteRule ^calendar.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^memberlist.php(.*)$ members/$1 [R=301,L]
RewriteRule ^private.php(.*)$ conversations/$1 [R=301,L]
RewriteRule ^external.php(.*)$ forums/-/index.rss$1 [R=301,L]

and seems conflicting with Force HTTPS:

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Please advise. Thank you.

 

[Chris Goldsmith]

I have the following rewrite rule:

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteRule t([\d]+)-([\d]+)/ showthread.php?t=$1&page=$2 [NC,L]
RewriteRule t([\d]+)/ showthread.php?t=$1 [NC,L]
RewriteRule f([\d]+)-([\d]+)/ forumdisplay.php?f=$1&page=$2 [NC,L]
RewriteRule f([\d]+)/ forumdisplay.php?f=$1 [NC,L]

RewriteRule ^home/(.*)$ index.php$1 [R=301,L]
RewriteRule ^tags.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^blog.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^forum.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^entry.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^usercp.php(.*)$ account/$1 [R=301,L]
RewriteRule ^group.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^showgroups.php(.*)$ online/$1 [R=301,L]
RewriteRule ^calendar.php(.*)$ index.php$1 [R=301,L]
RewriteRule ^memberlist.php(.*)$ members/$1 [R=301,L]
RewriteRule ^private.php(.*)$ conversations/$1 [R=301,L]
RewriteRule ^external.php(.*)$ forums/-/index.rss$1 [R=301,L]

and seems conflicting with Force HTTPS:

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Please advise. Thank you.

You do not need the individual pages rewrites - here is my re-write config along with the settings with the Admin control panel settings at the first page of this thread

    RequestHeader set X-Forwarded-Proto "http"
     RewriteEngine On
     RewriteCond %{HTTP:X-Forwarded-Proto} !https
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

 

[Chad]

You do not need the individual pages rewrites - here is my re-write config along with the settings with the Admin control panel settings at the first page of this thread

    RequestHeader set X-Forwarded-Proto "http"
     RewriteEngine On
     RewriteCond %{HTTP:X-Forwarded-Proto} !https
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

I tried your method, and the conversation drop down menu is now blank and extended vertically. I cannot access Conversations area either via the profile drop down link. Just refreshes homepage.

.htaccess

RequestHeader set X-Forwarded-Proto "http"
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /index.php?threads/$1/ [R=301,L]

   
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

## EXPIRES CACHING ##
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access 1 year"
    ExpiresByType image/jpeg "access 1 year"
    ExpiresByType image/gif "access 1 year"
    ExpiresByType image/png "access 1 year"
    ExpiresByType text/css "access 1 month"
    ExpiresByType text/html "access 1 month"
    ExpiresByType application/pdf "access 1 month"
    ExpiresByType text/x-javascript "access 1 month"
    ExpiresByType application/x-shockwave-flash "access 1 month"
    ExpiresByType image/x-icon "access 1 year"
    ExpiresDefault "access 1 month"
</IfModule>
## EXPIRES CACHING ##

Header unset Pragma
FileETag None
Header unset ETag

<IfModule mod_gzip.c>
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font
    AddOutputFilterByType DEFLATE application/x-font-opentype
    AddOutputFilterByType DEFLATE application/x-font-otf
    AddOutputFilterByType DEFLATE application/x-font-truetype
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/x-icon
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml

    # Remove browser bugs (only needed for really old browsers)
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    Header append Vary User-Agent
</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
    RewriteRule ^.*$ - [NC,L]

    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
   
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

<Files 403.shtml>
    order allow,deny
    allow from all
</Files>

# php -- BEGIN cPanel-generated handler, do not edit
# This domain inherits the “PHP” package.
# php -- END cPanel-generated handler, do not edit

 

[turbos]

how about litespeed instead of apache ?
is this correct?

rewriteCond %{HTTPS} !on
rewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

 

[Pedro Pino]

has anyone tried at hostmonster? I did follow Brogan but my host server don't show the website after changes made to .htaccess

 

[Pedro Pino]

a member of live support at hostmonster set it up for me. Thanks. Good Tutorial!

 

[spydrzero]

I've done everything in the steps but my site still doesnt redirect to https..

What am I doing wrong?

 

[Svoboda]

Just followed the guide for a new site of mine and I think it's working as it should. Anyone care to double-check?

https://www.nbagoat.com

I use URLJet for my webhost and when I went into the CPanel, they apparently automatically issue a SSL cert when you add the domain so it was already sitting there waiting for me to use.

 

[Robru]

Anyone card to double-check?

Works perfect!