XF 1.5 htaccess file

KSA

Well-known member
Can someone help with the htaccess file content. I have two htaccess files within the same root and im not sure why I have two fils instead of one. I just installed SSL to my forum and im not certain what should I modify in the file. I have added this code to both htaccess files but kept the rest unchanged.



Code:
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


Code:
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]


RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{HTTP_HOST} !^world-defense\.com$ [NC]
    RewriteRule ^(.*)$ http://world-defense.com/$1 [R=301,L]
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>


Should I modify this or keep it as is:
Code:
RewriteCond %{HTTP_HOST} !^world-defense\.com$ [NC]
    RewriteRule ^(.*)$ http://world-defense.com/$1 [R=301,L]


After SSL implementation I ran content update through phpmyadmin and I still most pages are not secured. Simply I have followed all instruction given by @Brogan in this thread and yet most pages are not secured.

https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/
 
Are those rewrite rules not saying, .. rewrite the url to http, if you want https, they have to rewrite your http traffic to https.

There are 3 chunks of code, the middle one is the xenforo htaccess file.

i would start with removing the duplicate stuff, if you have 3 chunks of rewrite condition of setting https to off, and rewriting it to http, then keep 1, but since you want https, probably remove it (or fix it).

Keep the xenforo one, and append to the top of it with the rewrite rule. You want a perm moved 301 rule to move any http host to https.
 
  • Like
Reactions: KSA
Are those rewrite rules not saying, .. rewrite the url to http, if you want https, they have to rewrite your http traffic to https.

There are 3 chunks of code, the middle one is the xenforo htaccess file.

i would start with removing the duplicate stuff, if you have 3 chunks of rewrite condition of setting https to off, and rewriting it to http, then keep 1, but since you want https, probably remove it (or fix it).

Keep the xenforo one, and append to the top of it with the rewrite rule. You want a perm moved 301 rule to move any http host to https.

Can you rewrite the htaccess file in the proper way it should be using the https instead of the http so I can copy the whole thing to the file. Im not an expert just so you know. Im not sure what to remove and what to keep. Thanks in advance.
 
I had no idea it was possible to have two files with the same name.

I think the default xenforo htaccess file is mnamed htaccess.txt and does nothing until it is renamed .htaccess (which is how an htaccess file must be named for it to be "active")

By not having the dot in front and having the .txt extension, this is usually a way to have the code for reference in case you need it, but not actually have it active.
 
I had no idea it was possible to have two files with the same name.

I think the default xenforo htaccess file is mnamed htaccess.txt and does nothing until it is renamed .htaccess (which is how an htaccess file must be named for it to be "active")

By not having the dot in front and having the .txt extension, this is usually a way to have the code for reference in case you need it, but not actually have it active.

The other file I have is named htaccess1 and the one with the .txt extension is also there.
 
The webserver will ONLY use ".htaccess" Any additional .txt of htaccess files without a dot in front of it are ignored and considered to be any other file on the public web directory.

/htaccess
/.htaccess.txt
/htaccess.txt

all ignored,

used:
/.htaccess

I hope that clears that up.
 
The 1.5.13 htaccess.txt file provided by xenforo has this exactly in it:
Code:
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

Your http to https rewrite rule could be added in front of this line:
Code:
RewriteCond %{REQUEST_FILENAME} -f [OR]

Backup the .htaccess file you have, and rename the xenforo one from htaccess.txt to .htaccess

We already linked to the instructions for redirecting stuff:
https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/

To clarify : from what I understand you have successfully installed a valid certificate and only need to get xenforo to run on https
Note: So NOT http://example.com, but httpS://example.com is what you want.

a- change the url in the board options of xenforo from admin.php to be https (notice the s)
b- update the .htaccess file to be xenforo's + the redirection line
c- update config.php optionally with : $_SERVER['HTTPS'] = 'on';
 
I have successfully enforced secure connection however all threads and pages are not fully secured. I still get this circled exclamation mark by all web browsers saying that the connection is not fully secure as you can see in these screenshot. How can I resolve this issue.

Screen Shot 2017-05-14 at 6.56.34 PM.webp Screen Shot 2017-05-14 at 7.00.05 PM.webp
 
Hi @ALMUSA,

Looks like your flag images are still loading on HTTP, they may have been hardcoded as HTTP - you'll need to check and update the image links wherever you implemented that:
mixed-content-warning.webp
 
  • Like
Reactions: KSA
bingo! you are a lifesaver. I changed that and it worked (y)
The majority of the time you see that issue is when you have that very problem. Insecure content is content that is linked somewhere in your page (via a template or add/on that calls to images) that are served via HTTP protocol. When you look in your browser developer tools at the page, it will usually tell you exactly what image it is that is being called in via the non-secure method. Then you just have to find where it's calling it at and make necessary modifications. I've even had to modify some JS files to fix a hardcoded HTTP call that was also available via HTTPS in the past.
 
  • Like
Reactions: KSA
Top Bottom