XF 2.0 HTTPS disappears when avatar load

[VG_AzR]

Hello, I have a concern that I would like to solve urgently it happens that when certain member connects the HTTP switches from secure to unsecured.

https://prnt.sc/jqnvsb

So I look in my browser's console if there was not an error and voice the error : http://prntscr.com/jqnioq

The avatar of the member loads in HTTP and not in HTTPS which produces the error. How to correct this please

 

[Martok]

I've had a look and can't seem to find an issue. When I go to that image directly and try removing https, it redirects to https as expected.

https://yourstudio.fr/data/avatars/l/0/64.jpg?1522140584

Can you link to a page where you are getting this error?

One issue you do have is that you have 2 versions of your site - https://yourstudio.fr/ and https://www.yourstudio.fr/ You need to redirect the www to non-www (or vice versa depending on your preference. See point 19 of the FAQ:
https://xenforo.com/community/threads/frequently-asked-questions.5183/post-180456

 

[VG_AzR]

First of all thank you for the return. It is directly on the homepage when connected that the HTTPS goes into unsecured

Here is my HTACCESS this one is it badly configured ? :

Options +FollowSymLinks



RewriteEngine On



RewriteBase /



#    Mod_security can interfere with uploading of content such as attachments. If you

#    cannot attach files, remove the "#" from the lines below.

#<IfModule mod_security.c>

#    SecFilterEngine Off

#    SecFilterScanPOST Off

#</IfModule>



ErrorDocument 401 default

ErrorDocument 403 default

ErrorDocument 404 default

ErrorDocument 405 default

ErrorDocument 406 default

ErrorDocument 500 default

ErrorDocument 501 default

ErrorDocument 503 default



<IfModule mod_rewrite.c>



       RewriteCond %{HTTPS} off           

       RewriteRule (.*) https://yourstudio.fr/$1 [R=301,L]



    #    If you are having problems with the rewrite rules, remove the "#" from the

    #    line that begins "RewriteBase" below. You will also have to change the path

    #    of the rewrite to reflect the path to your XenForo installation.

    #RewriteBase /xenforo



    #    This line may be needed to enable WebDAV editing with PHP as a CGI.

    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]



    RewriteCond %{REQUEST_FILENAME} -f [OR]

    RewriteCond %{REQUEST_FILENAME} -l [OR]

    RewriteCond %{REQUEST_FILENAME} -d

    RewriteRule ^.*$ - [NC,L]

    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]

    RewriteRule ^.*$ index.php [NC,L]

</IfModule>

 

[Martok]

First of all thank you for the return. It is directly on the homepage when connected that the HTTPS goes into unsecured

When I visit your homepage, the site is secure.



As for your .htaccess, the rewrite rule isn't working (which is why you have a www and non-www version). See the FAQ
https://xenforo.com/community/threads/frequently-asked-questions.5183/#post-180456

and this guide
https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/

for examples on how to make it work. Note that, as servers are different, you will have to try different ones until yours works.

 

[VG_AzR]

When I visit your homepage, the site is secure.

View attachment 178999

As for your .htaccess, the rewrite rule isn't working (which is why you have a www and non-www version). See the FAQ
https://xenforo.com/community/threads/frequently-asked-questions.5183/#post-180456

and this guide
https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/

for examples on how to make it work. Note that, as servers are different, you will have to try different ones until yours works.

I just modify the HTACCESS logically it should be good can you confirm me that ?

 

[Martok]

All seems fine now.

 

[VG_AzR]

And no http://prntscr.com/k1m2fq

 

[Martok]

And no http://prntscr.com/k1m2fq

I'm guessing this is something you are seeing when you are logged in. It is fine when viewing the site as a guest.

 

[MarkHUK]

serve the avatar over https as well and the error will go away

 

[VG_AzR]

Yes it is on the interface once connected, there is an avatar that loads in HTTP I do not understand why

serve the avatar over https as well and the error will go away

not understand

 

[MarkHUK]

Ythere is an avatar that loads in HTTP

Change the <img src="http:// part to https:// for the avatars in your template or backend panel. It is loading mixed-content over https and http so https gets broken! thats why.

 

[VG_AzR]

Change the <img src="http:// part to https:// for the avatars in your template or backend panel. It is loading mixed-content over https and http so https gets broken! thats why.

I need to modify all the templates that load the avatars?
Which one are they?

 

[Martok]

You shouldn't need to edit any of the default templates. If there's an insecure http:// in any templates (or widgets) then it would likely have been one that you have edited.

It's difficult to diagnose where the issue is when we cannot see it. The image causing the issues is this one:

https://yourstudio.fr/data/avatars/l/0/64.jpg?1522140584

but I can't see it on the forums page.

I can see the member that it belongs to on the members page https://yourstudio.fr/members/ but that isn't showing any errors and is showing only smaller avatars. So where exactly are you seeing the large avatar? Maybe a screenshot would help.

 

[VG_AzR]

You shouldn't need to edit any of the default templates. If there's an insecure http:// in any templates (or widgets) then it would likely have been one that you have edited.

It's difficult to diagnose where the issue is when we cannot see it. The image causing the issues is this one:

https://yourstudio.fr/data/avatars/l/0/64.jpg?1522140584

but I can't see it on the forums page.

I can see the member that it belongs to on the members page https://yourstudio.fr/members/ but that isn't showing any errors and is showing only smaller avatars. So where exactly are you seeing the large avatar? Maybe a screenshot would help.

https://yourstudio.fr/members/mahdy.64/
Only when the member is logged in, does the server load the avatar in HTTP

 

[Martok]

https://yourstudio.fr/members/mahdy.64/
Only when the member is logged in, does the server load the avatar in HTTP

Of course that page isn't available to guests. Maybe you could make profiles temporarily available to guests so we can check?

Is it all avatars it is doing this for? Or only this particular one?

 

[VG_AzR]

There are a lot of avatars out there

 

[VG_AzR]

visitors can see the profiles now

 

[Martok]

Hmm, interesting.

When I visit http://yourstudio.fr/ for the very first time (I tried in an incognito window) then the site is insecure as it is being served over http, not https. So the redirection isn't working. However, if I then either go directly to https://yourstudio.fr or go to http://www.yourstudio.fr which then redirects to https://yourstudio.fr/, I cannot then go back to http://yourstudio.fr/ as the redirection then works. I can only get it to repeat this in another incognito window.

Are you using some sort of caching on your site?

As for going directly to https://yourstudio.fr/members/mahdy.64/, I don't see any insecure errors

 

[VG_AzR]

You do not see an error because it is not online

Yes there is a cache system we use: Little Speed Cache for XF2

 

[VG_AzR]

It is possible with a test account to come and see what's wrong?