Internal server error when https

[Steff]

OK I'm hosting the Xenforo site on Centos7 and Nginx with Apache2 and PHP 7. All's good... infact the site is on fire, but I'm having an issue forcing Xenforo to use https.
Other sites I'm hosting on the server (Wordpress) are already using https.
I've altered the board url in admin, and added the line

$_SERVER['HTTPS'] = 'on';

to the library/config.php file but still nothing. Checked PHPinfo and it says https is on but it seems only admin pages are using https.
So I added the following to htaccess and got an internal server error. But eventhough I had an internal server error the site was https.
Here's what I added to htaccess

#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>
<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

If I remove the

</IfModule>

after <IfModule mod_rewrite.c> then the site loads fine but only as http.
Any help would be appreciated.

 

[KawaiiHannah]

Did you try adding this

  # Force SSL:
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

[Steff]

Thanks KawaiiHannah. I tried that and it didn't seem to make any difference.
The plot thickens though, because although none of the browsers I've tried say that the website is encrypted with SSL if I go to a website like http://www.webconfs.com/http-header-check.php and run a check on the site it says that it is encrypted and using https.
So I'm more confused than ever.
I forgot to add the domain name in the original post so here it is and I've attached the full htaccess file that causes the internal error.
www.picturepenzance.com

 

[Slavik]

Your site seems to be working fine on https for me?

 

[Steff]

Thanks Slavik. It most be something at my pc end I guess.
thank you both for your help

 

[Paul B]

There's definitely something not quite right - it's not secure for me.

It looks like some content (avatars, images, etc.) are not being loaded over https.
Check the notice code - you are likely using a hard-coded http URL for the avatar.

 

[Steff]

Oh... this is odd. Just opened Firefox on Centos 7 and it shows the site as part secure (images not secured) yet has https status in the url. Explorer and Opera say the site is insecure and have http in the url (using Windows 10 O/S)
Could Nginxs be causing this?

 

[andybond]

You are serving :
picturepenzance.com/LCH-min.jpg
picturepenzance.com/data/avatars/l/0/1.jpg?1451141389

over http.

Can tell in chrome with f12 --> Security. Reload the page. Click the non secure origins --> view request in network

 

[Steff]

Thank you guys... It was indeed two images serving up as http (hard coded in the footer)

 

[TPerry]

Well, I just visited and you are still serving at least one avatar via HTTPS (could it be cache related on the server?)

Mixed Content: The page at 'https://www.picturepenzance.com/' was loaded over HTTPS, but requested an insecure image 'http://www.picturepenzance.com/data/avatars/l/0/1.jpg?1451141389'. This content should also be served over HTTPS.

 

[andybond]

Well, I just visited and you are still serving at least one avatar via HTTPS (could it be cache related on the server?)

Mixed Content: The page at 'https://www.picturepenzance.com/' was loaded over HTTPS, but requested an insecure image 'http://www.picturepenzance.com/data/avatars/l/0/1.jpg?1451141389'. This content should also be served over HTTPS.

Same.

 

[Steff]

Thanks guys. I did find the image after a lot of hunting about. It was set on a notice to display to guests. Because I use the site logged in I couldn't find the application calling for the image... And then a lightbulb moment lol.
Just to add insult to injury I couldn't edit the notice as mod security rule threw a false positive and I've been ages looking for the rule that needs to be changed.
Anyway... Thank you all for the help. Just a few more things to sort out with Xenforo and the new self hosting server and then I'll be upgrading to the new Xenforo shiny, shiny 2