You need to force sessions to SSL. The easiest way is via a .htaccess entry.
- https://xenforo.com/community/threads/xenforo-always-use-ssl.36180/#post-411628
http://xenforo.com/community: Force SSL / HTTPS
- Thread starter Chris D
- Start date
- Status
- https://xenforo.com/community/threads/xenforo-always-use-ssl.36180/#post-411628
HappyWorld
Well-known member
if base href is still HTTP, and i use htaccess to redirect, it means
every click from the browser interface is still pointed to HTTP, and htaccess will redirect it to the HTTPS.
It means = every 1 click = 1 additional redirect, any other idea?
maybe using add on or something.
Digital Doctor
Well-known member
Is this issue "solved" for the latest Xenforo ?
or does it still require individual admins to make server settings (ie. by manually editing .htaccess ) ? (as posted here - https://xenforo.com/community/threads/xenforo-always-use-ssl.36180/#post-411628).
It seems like xenforo edits .htaccess for friendly URLs ... should there be an admin setting for forcing https that edits .htaccess too ?
What about for redirecting www to non-www ?
or does it still require individual admins to make server settings (ie. by manually editing .htaccess ) ? (as posted here - https://xenforo.com/community/threads/xenforo-always-use-ssl.36180/#post-411628).
It seems like xenforo edits .htaccess for friendly URLs ... should there be an admin setting for forcing https that edits .htaccess too ?
What about for redirecting www to non-www ?
TLDR
Active member
Hi,
I'm using this to enforce SSL and www:
Or this to enforce non-www:
I'm using this to enforce SSL and www:
Code:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.yoursite\.com [NC]
RewriteRule (.*) https://www.yoursite.com/$1 [R=301,L]Or this to enforce non-www:
Code:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^yoursite\.com [NC]
RewriteRule (.*) https://yoursite.com/$1 [R=301,L]
There's nothing to "solve".
Enabling SSL for a site is an involved process, technically, and there's no magic switch that can just enable it for you. Bear in mind you still have to create a certificate request, have that fulfilled by a certification authority, then install that certificate (and possibly others) for the web server to recognise it.
There's potentially other prerequisites that may not already be installed/enabled too, and all of the above the process can vary depending on the actual web server and OS you're using.
The only tasks left are mostly trivial:
1) Change the board URL in the Admin CP
2) Force HTTP traffic to HTTPS
That last step is highly recommended, but even that is optional. There'd be no point in having a magic switch for that because, again, how the redirection is implemented varies greatly depending on which web server is being used, e.g. .htaccess modifications won't help you if you're running nginx. Similar with the www to non-www case.
The friendly URLs case is slightly different because it does need to be explicitly switched on so our routing system knows how to create the friendly URLs.
This thread was merely a request for HTTPS to be implemented here, which it was a long time ago.
Enabling SSL for a site is an involved process, technically, and there's no magic switch that can just enable it for you. Bear in mind you still have to create a certificate request, have that fulfilled by a certification authority, then install that certificate (and possibly others) for the web server to recognise it.
There's potentially other prerequisites that may not already be installed/enabled too, and all of the above the process can vary depending on the actual web server and OS you're using.
The only tasks left are mostly trivial:
1) Change the board URL in the Admin CP
2) Force HTTP traffic to HTTPS
That last step is highly recommended, but even that is optional. There'd be no point in having a magic switch for that because, again, how the redirection is implemented varies greatly depending on which web server is being used, e.g. .htaccess modifications won't help you if you're running nginx. Similar with the www to non-www case.
The friendly URLs case is slightly different because it does need to be explicitly switched on so our routing system knows how to create the friendly URLs.
This thread was merely a request for HTTPS to be implemented here, which it was a long time ago.
Digital Doctor
Well-known member
What percentage of Xenforo sites are on apache ? 90% ?
What percentage of newbie Xenforo admins are on apache ? 97% ?
(Anyone care to guess what the stats are for the above ?)
If you are running nginx, you probably know what you are doing.
is it still the case that default Xenforo www to non-www will log you out ?
seems like it is for me.
if it makes sense to redirect all www to non-www URLs ... how would a newbie admin be informed of that ?
Should instructions be placed in the admin panel settings somewhere ?
otto
Well-known member
Chris, I use Plesk 12.5 with the LetsEncrypt extension and its only one klick to enable SSL for a domain. One of the biggest hoster in germany enabled LetsEncrypt now also for webspace, so its a time question that more and more sites run with SSL a easy way.
So, I think ist not the badest idea to let xenforo do the htaccess edit. If thats possible... Why not?
There might be ways for us to do it. This isn't the correct forum or thread to discuss it, though. If there isn't already, a Suggestion should be created and if necessary it discussed further there.
I'm going to close this thread now because we've ventured off topic, and this thread served its purpose.
This thread was to request and discuss SSL being switched on for this site specifically.
I'm going to close this thread now because we've ventured off topic, and this thread served its purpose.
This thread was to request and discuss SSL being switched on for this site specifically.
- Status
