How To Implement SSL To Secure HTTP Traffic (HTTPS)

[Svoboda]

Works perfect!

Awesome, thanks. Can't speak highly enough about my host. That was a very welcomed surprise when I logged into my CPanel last night.

 

[rdn]

Just followed the guide for a new site of mine and I think it's working as it should. Anyone care to double-check?

https://www.nbagoat.com

https://www.ssllabs.com/ssltest/analyze.html?d=www.nbagoat.com

 

[craigiri]

Going to soon move my WP/XF site to https.

Here is my question - I already did one of my other WP sites and it was really each because there are two plug-ins for WP that do all the work.

But my main site has WP as the main blog - and the Xenforo as the forums under a "talk" directory.

So my question concerns the .htaccess instructions, etc. in this guide...since it is likely the WP plug-in modify the (root directory) htaccess file already.

Can I put the Xenforo Apache directives into the /talk access file? Or should I add them to the main root directory htaccess in addition to those put there by the WP plug ins?

Again, the site layout is WP in the root - with XF all installed under /talk.

Thanks for any answers in advance. I am confident of buying the SSL, installing it and doing the WP part of it....but I don't want to screw up the forum too bad....

 

[Chris Radford]

Thanks for this guide @Brogan , I moved us over to https on Friday - https://www.onefootballforum.co.uk/index.php

Only issue we've had since then is some users are reporting that they are being automatically logged out on occasion since the switch.

Some have solved the issue by clearing their cache and updating their bookmarks to https - others are saying this hasn't fixed it (though I can't verify).

Any ideas? Or will this definitely be a end user issue with bookmarks/caching?

Thanks,

 

[Paul B]

If it works for others then it's going to be an end user issue.

 

[Martok]

Thanks for this guide @Brogan , I moved us over to https on Friday - https://www.onefootballforum.co.uk/index.php

Only issue we've had since then is some users are reporting that they are being automatically logged out on occasion since the switch.

Some have solved the issue by clearing their cache and updating their bookmarks to https - others are saying this hasn't fixed it (though I can't verify).

Any ideas? Or will this definitely be a end user issue with bookmarks/caching?

Thanks,

You haven't fully sorted out redirecting http to https. Whilst http://www.onefootballforum.co.uk goes to https://www.onefootballforum.co.uk/index.php, http://www.onefootballforum.co.uk/index.php does not redirect to the https version

 

[Chris Radford]

Thanks for pointing that out @Martok ! Can you recommend a solution to implement the redirect for http://www.onefootballforum.co.uk/index.php also? I assume via htaccess-- ?

 

[Martok]

Thanks for pointing that out @Martok ! Can you recommend a solution to implement the redirect for http://www.onefootballforum.co.uk/index.php also? I assume via htaccess-- ?

I can only suggest looking through the guide again and possibly enabling full friendly URLs. I'm using nginx not apache and so don't use htaccess.

 

[Chris Radford]

Thanks Martok, unfortunately that didn't work.

@Brogan - can you suggest what I may have missed with regards to http://www.onefootballforum.co.uk/index.php not redirecting to https?

Thanks,

 

[Chris Radford]

We have enabled full friendly URL's along with mod_rewrite and AllowOverride - i fear it's our .htaccess-- and setup with Sucuri firewall that's causing the issue.

Here's our .htaccess--

#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^onefootballforum.co.uk [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ https://www.onefootballforum.co.uk/$1 [L,R=301,NC]

#Sucuri firewall bypass prevention rules
<FilesMatch ".*">
    Order deny,allow
    Deny from all
    Allow from 192.88.134.0/23
    Allow from 185.93.228.0/22
    Allow from 2a02:fe80::/29
    Allow from 66.248.200.0/22
</FilesMatch>

#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /Xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^.*$ - [NC,L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

<ifModule mod_expires.c>
     ExpiresActive On
     ############################################
     ## Add default Expires header
     ## http://developer.yahoo.com/performance/rules.html#expires
     <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
     ExpiresDefault "access plus 1 year"
     </FilesMatch>
     </ifModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php54” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php54 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

Can anybody help to shed some light?

 

[Chris Radford]

To re-open the board to make it half operational, I've had to reverse the change and disable Full Friendly URLs for now as we've not been able to get .htaccess-- to play ball despite the best efforts gratefully received of M@rc. It's getting late here tonight but will look to tackle this again tomorrow- will to pay for anyone who can offer assistance.

Thanks!

 

[MrC]

Hi Brogan,

Thank you very much for the guide. I have a problem when using this command:

UPDATE xf_post SET message = REPLACE(message,'http://xenforo.com/','https://xenforo.com/');

Not all the links are updated to https. Although, if I click Edit a post with http links, the links would show correctly as https. Do I have to flush cache or rebuild threads (I tried rebuilding threads, it did not work)?

Thank you

 

[MrC]

I disabled an addon and enabled it again, the problem is solved!

 

[Chad]

I still have this issue where going to www.talkjesus.com does not automatically redirect to https://www.talkjesus.com despite following guidelines. I've tried so man variations of the .htaccess and still can't figure it out.

Current .htaccess

RewriteEngine On

RewriteCond %{HTTP_HOST} ^talkjesus.com[nc]
RewriteRule ^(.*)$ http://www.talkjesus.com/$1 [r=301,nc]

# Mod_security can interfere with uploading of content such as attachments. If you
# cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
# SecFilterEngine Off
# SecFilterScanPOST Off
#</IfModule>

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
## EXPIRES CACHING ##

Header unset Pragma
FileETag None
Header unset ETag

<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
RewriteEngine On

# If you are having problems with the rewrite rules, remove the "#" from the
# line that begins "RewriteBase" below. You will also have to change the path
# of the rewrite to reflect the path to your XenForo installation.
#RewriteBase /

# This line may be needed to enable WebDAV editing with PHP as a CGI.
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^.*$ - [NC,L]

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^.*$ index.php [NC,L]
</IfModule>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

Board URL & Homepage URL both set to https://www.talkjesus.com in XF options.

"Use Full Friendly URLs" enabled.

 

[Chad]

I still have access to http://www.talkjesus.com/ which doesn't redirect to the https version. That's bad for rankings because google would assume that it's duplicate content.

https://ahrefs.com/blog/ssl/

I really need help here. This is absolutely frustrating. I do not have this issue on a WP install on the very same server, but only with XF software. I disabled Cloudflare as well for now and cleared cache. Still, the issue is talkjesus.com or www.talkjesus.com does not automatically redirect to https://www.talkjesus.com like it should.

Top of my httaccess:

RewriteCond %{HTTP_HOST} !^www\.talkjesus\.com$
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I also tried

RewriteCond %{HTTP_HOST} ^talkjesus.com[nc]
RewriteRule ^(.*)$ http://www.talkjesus.com/$1 [r=301,nc]

Also ran tests:
https://www.whynopadlock.com/check.php
All 81 items called securely!
Domain Name: www.talkjesus.com
URL Tested: https://www.talkjesus.com
Number of items downloaded on page: 81

Again, the issue is the redirects.

 

[Madhouse]

Does this work for xenforo 2?

 

[Miri]

If you are trying to rewrite all urls, not www to with www + https
here is the correct code to use in .htacces (I'm not a programmer, but this code works correctly on all of my sites)

### Begin - Redirect to https    
    <IfModule mod_rewrite.c>
        RewriteCond %{HTTPS} !=on
        RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
        RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    </IfModule> 
### Begin - Redirect non-www to www + https
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
### End - Redirect non-www to www

 

[Laron]

Does this work for xenforo 2?

I hope so as I'm about to do this in a production environment!

 

[Laron]

Does this work for xenforo 2?

So I just finished switching over from http to https. The guide worked with the exception of the re-direct.

The forum wouldn't load at all when I included the following in .htaccess

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

here is the correct code to use in .htacces

This doesn't do anything to help with the re-direct.

The strange thing is, is that the redirect works in Chrome, but not Firefox or Edge.

 

[Madhouse]

Interesting, let e know if you find a solution.