How To Implement SSL To Secure HTTP Traffic (HTTPS)

How To Implement SSL To Secure HTTP Traffic (HTTPS)

Interesting, let e know if you find a solution.
Found one.

So I left the .htaccess file alone as no matter what I tried I ran into issues.

I noticed an interesting and helpful option in Xenforo that I didn't see the other 50 times I've looked at that screen. It's probably a feature of 2.0.

fixed.webp

It sits below the Board URL field under Basic board information. (I ticked it)
 
Am I correct in thinking that if I use Cloudflare to force the first request to https - then I don't need the additional rewrite code in the root .htaccess folder?

I discovered a weird issue while migrating to XF last night: When I had Cloudflare enabled and added the extra 2 lines in the .htaccess - the site would get stuck in an infinite redirect loop. This could have just been a Cloudflare caching issue perhaps, I'm going to wait til the weekend to experiment further.
 
Am I correct in thinking that if I use Cloudflare to force the first request to https - then I don't need the additional rewrite code in the root .htaccess folder?

I discovered a weird issue while migrating to XF last night: When I had Cloudflare enabled and added the extra 2 lines in the .htaccess - the site would get stuck in an infinite redirect loop. This could have just been a Cloudflare caching issue perhaps, I'm going to wait til the weekend to experiment further.
if you use cloudflare and have always use https enabled and auto rewrite http to https, then no need for .htaccess redirects for non-https to https

edit: fyi, cloudflare has community support forum at https://community.cloudflare.com/ as well so if you have cloudflare specific issues, you can ask there too
 
Last edited:
I am about to move my vB forum to a new server and upgrade it to XF2. Part of that process is setting up the SSL. I also have two static html content websites on the server with their own domains. For those, I simply created a new .htaccess file and added the following,

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I have no idea what that means or how it works, but it does. I got it from here. Both of the static sites now have https working (sfriday.com and backroadmotorcycletours.com). Unlike my forum, people visiting those sites enter at the top level directory like,

/home/user/public_html/index.htm

and that is the directory where I put the .htaccess file for those sites. However, my forum will be located in,

/home/forumuser/public_html/forums/index.php

I've not yet transferred my domain to the new IP address on the new server. I have been accessing my XF test site just using http://IP address/ and there has been a redirect in place that moves me from the /public_html straight to the /forums/index.php. A friend set it up for me, so again I have no clue what it does or how.

RewriteOptions inherit

RewriteEngine on
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^(.*)$ "http\:\/\/192\.232\.203\.64\/forums\/index\.php$1" [R=301,L]

That .htaccess file sits in the /public_html directory (which is currently password protected). The redirect is there because at this time I don't have a homepage, but plan to add one later. There is also a .htaccess file in the /forums directory,

# Mod_security can interfere with uploading of content such as attachments. If you
# cannot attach files, remove the "#" from the lines below.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
RewriteEngine On

# If you are having problems with the rewrite rules, remove the "#" from the
# line that begins "RewriteBase" below. You will also have to change the path
# of the rewrite to reflect the path to your XenForo installation.
#RewriteBase /xenforo

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>

I am sorry this is long, but want to make sure you see what I have. My question is this, do I need to add the https stuff from the How To I linked to above to BOTH of the .htaccess files or just one? If only one, which one?

After I get my domain name pointed to the new IP address on the new server, I will need to change both/one of the .htaccess files to replace the IP with the domain name to keep that redirect working so people land on the forum index page. I have no idea how that needs to be done. I am not an IT person and this is all pretty new to me. I don't know if one .htaccess file dominates others based on its location in the directory structure or if they all work independently.

Also, there is the XF redirect add on that will be added so all my old links work. Do I need to do anything special because of that or just install the mod and forget about it?

Thanks.
 
Thank you for this complete instruction.
I have a problem and its related to users content, so I don't know how to deal with.

In some threads, there are lots of images or urls from different upload centers that dont use SSL. so I get mixed content error.

what should I do in this case?
 
Image Proxy:

If embedding images from remote servers in posts is permitted, then the Image Proxy must be enabled.
If it is not, mixed content warnings will be produced when loading a page with an embedded image from a URL which is not HTTPS.
It can be enabled in the ACP -> Options -> Messages -> Image and Link Proxy: Proxy Images.
Further information regarding the feature is available here: XF 1.3 - EXIF Rotation, ACP Searching, Proxying and Change Logging
 
More or less, depending on whether it's a new install or upgrade.

XF2 also has a canonical setting in the ACP which should be enabled.
 
More or less, depending on whether it's a new install or upgrade.

XF2 also has a canonical setting in the ACP which should be enabled.
Thank you but I am a totally knew user and that didn't make much sense to me but I am eager to learn. Other than going to my host and asking for an SSL there seems to be another part to setting up SSI with XF2?
 
As far as the SSL certificate is concerned, that part is the same.

It's something you need to implement at the server level.

Your host will be able to assist if you are not sure how to do that.
 
When i add this to the htaccess file it gets me in a redirect loop making my site unavailable



What can i do to solve this?
 
Thanks for this Brogan.
My site is just new, many of my new members and prospective members say thay will not join or comment until my site is sceure.
Its just one extra thing to do.
But I'd better get on it it.
I hope my webhost has a SSl Certificiate!
 
I'm on Sitegorund and they gave me an SSL certificate (free) and set it all up for me.
I'll look at lets Encrypt later.
 
It's not possible as the resource is hosted in the XF1 category.

It primarily relates to XF1 so that is the best category for it.
It wasn't worth doing a new resource for XF2 as there's not much to do compared to XF1.
 
Top Bottom