XF 2.0 https problem

Lord. Death.

Lord. Death.

New member
I tried to switch to https today, but I got this problem,
every time https is used, this shows up
Forbidden
You don't have permission to access this resource.
Click to expand...
loads fine when using Http://
Website to check: http://thedarkestsignal.com/ | https://thedarkestsignal.com/
the SSL is installed correctly. other subdomains that work fine: https://shop.thedarkestsignal.com/
I've used this tut to setup. https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/
the cert is on port 443, if it's on port 80, this message shows:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Click to expand...
 
Last edited:
Sort by date Sort by votes
Looking at Google Chrome inspect, your HTTPS/2 is not setup correctly as only Google fonts are being served over https/2.

I'd say the issue might be .htaccess related, and probably your http to https rewrite rule.
 
Upvote 0 Downvote
Lord. Death. said:
Solved after upgrading the server
Click to expand...
Just a heads up, you are still serving everything over HTTP/1.1, not HTTPS/2

If you fire up Google Chrome (or MS Edge) and go Right click > Inspect > Network (Tab) > Refresh page (and ensure the protocol option is also ticked. Protocol tab tells you what header security level your site is responding on. Firefox can do the same via Right Click > Inspect Element > Network > Refresh page (and ensure Protocol option is ticked).

Ideally you want everything responding as protocol "h2" and ONLY h2. That means your site is far more protected (and HTTPS/2 gives a nice speed boost too!).

Inspect is your friend and a HUGE benefit to troubleshooting and security checking.

Just ran some tests for you:
https://www.WhyNoPadlock.com - HTTPS is installed and forced on your server, but content is still being served over HTTP/1.1. So your SSL is 100%.
https://HTTP2.pro - No HTTP2 Support enabled/configured.
https://hstspreload.org - X509 Certificate misconfiguration (no https support over www.domain) and no HSTS Header support. I always setup and configure to HSTS principles, even if you don't proceed to register as an HSTS Preload site. You should have Strict HSTS setup as well to force HTTPS/2 only.
https://ssllabs.com/ssltest - Your site rates a "B" (mine gets an A+). Note the Handshaking all done over http/1.1

Can be a bit daunting to get that stuff right, but in the end it's extra security and peace of mind for your users.
 
Upvote 0 Downvote
RallyFan said:
Just a heads up, you are still serving everything over HTTP/1.1, not HTTPS/2

If you fire up Google Chrome (or MS Edge) and go Right click > Inspect > Network (Tab) > Refresh page (and ensure the protocol option is also ticked. Protocol tab tells you what header security level your site is responding on. Firefox can do the same via Right Click > Inspect Element > Network > Refresh page (and ensure Protocol option is ticked).

Ideally you want everything responding as protocol "h2" and ONLY h2. That means your site is far more protected (and HTTPS/2 gives a nice speed boost too!).

Inspect is your friend and a HUGE benefit to troubleshooting and security checking.

Just ran some tests for you:
https://www.WhyNoPadlock.com - HTTPS is installed and forced on your server, but content is still being served over HTTP/1.1. So your SSL is 100%.
https://HTTP2.pro - No HTTP2 Support enabled/configured.
https://hstspreload.org - X509 Certificate misconfiguration (no https support over www.domain) and no HSTS Header support. I always setup and configure to HSTS principles, even if you don't proceed to register as an HSTS Preload site. You should have Strict HSTS setup as well to force HTTPS/2 only.
https://ssllabs.com/ssltest - Your site rates a "B" (mine gets an A+). Note the Handshaking all done over http/1.1

Can be a bit daunting to get that stuff right, but in the end it's extra security and peace of mind for your users.
Click to expand...
Thank you, I've switched to https2.
I've ran the test myself, seems to be fine after the switch only htsts part doesn't seem to be done correctly, how do I fix it?
Edit: The website was fine, then when https2 got enabled, it became way too slow, what could be causing this?
 
Last edited:
Upvote 0 Downvote
That looks better now, but HSTS and HTTPS headers still appear wrong/misconfigured, and I see what you mean about the speed. Gut feeling is that .htaccess has a misconfiguration or circular reference which is causing a loop and thus slowdown.

1590455811360.webp

index.php and job.php are dragging heavily upon loading, and that DS.PNG could probably do with being run through www.tinypng.com (or similar) to shrink down.

Running your site through www.gtmetrix.com is really handy to pickup such issues as well.

Testing from GTMetrix default server in Canada:
TTFB (Time to First Byte) - 2.67 seconds
index.php - 9.47 seconds
End result - 18 second load time

HTTPS2 should actually be noticably faster to load as it compresses everything into the same header request.

Don't post your .htaccess file in public forums though as it should be kept secure. I suspect there are looping redirects/rewrites causing the lag though.
 
Upvote 0 Downvote
RallyFan said:
That looks better now, but HSTS and HTTPS headers still appear wrong/misconfigured, and I see what you mean about the speed. Gut feeling is that .htaccess has a misconfiguration or circular reference which is causing a loop and thus slowdown.

View attachment 225999

index.php and job.php are dragging heavily upon loading, and that DS.PNG could probably do with being run through www.tinypng.com (or similar) to shrink down.

Running your site through www.gtmetrix.com is really handy to pickup such issues as well.

Testing from GTMetrix default server in Canada:
TTFB (Time to First Byte) - 2.67 seconds
index.php - 9.47 seconds
End result - 18 second load time

HTTPS2 should actually be noticably faster to load as it compresses everything into the same header request.

Don't post your .htaccess file in public forums though as it should be kept secure. I suspect there are looping redirects/rewrites causing the lag though.
Click to expand...
Both index.php and job.php are the default which comes with xenforo, the file name on the server is htcacess.txt, it has the same text as one in this thread https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/
and I've shrunk down the large png files. it seems to be fine now
 
Last edited:
Upvote 0 Downvote
Hey Hey! Looks like you've nailed it now :).

Site fully responding over https/2

I'm checking your site from Australia and it's responding really nicely! Must have been that large file lagging it hard.

3.46ms full load times. Gotta be happy with that if you aren't hosting locally in Aus.

Regarding HSTS Headers, primarily adding this to your HTACCESS is enough.

Header always set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

frm
  • Question Question
XF 2.2 Node permission update error 403 Plesk control panel ModSecurity fix
Replies
4
Views
277
zoldos
zoldos
rkxh
Member page inaccessible NGINX - Friendly URLs
Replies
9
Views
409
Paul B
Paul B
L
  • Question Question
XF 2.2 XenForo upgrade check failed: cURL error 60: SSL certificate problem
Replies
3
Views
323
louisl
L
gldtn
Redirection on inline moderation
Replies
4
Views
537
specials
S
L
  • Question Question
XF 2.2 I am having email issues.
Replies
3
Views
403
lobsterpasties
L
Top Bottom