• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SSL connection is not fully secure on my domain...

Neutral Singh

Well-known member
#1
Just configured SSL certificate on my server and I'm seeing this:

https://www.sslshopper.com/ssl-checker.html#hostname=www.sikhphilosophy.net

...it looks like the SSL certificate valid/working fine on the server side...

However, when I visit the site, https doesn't seem to be "fully secure" -

not secure SSL.jpg not secure SSL-SPN.jpg

  1. How do i configure the forum script side to get Secure Connection message as it shows in xenforo.com?
  2. What should I edit in the .htaccess to make it fully secure for my users... so that the domain points to https://www.sikhphilosophy.net?
  3. And, would changing to https have an adverse affect on the page rankings?
Please advice.

htaccess - SPN.jpg
 

Neutral Singh

Well-known member
#3
Thanks! How did you find out so quickly...

In one of the images, the path was mentioned like http:// in the template, however in the other url starts like /images/path/to/image.png

The condition still persists...

I think .htaccess also needs some edits... any pointer...
 

Neutral Singh

Well-known member
#5
Thanks @Brogan!

In my .htaccess file, the following commands are at the top, which forces the browsers to permanently point to www.sikhphilosophy.net instead of sikhphilosophy.net ... do these command still remain on the top and/or do these need any edits?

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]

Thank you

htaccess - SPN.jpg
 

Brogan

XenForo moderator
Staff member
#6
Any custom rewrite rules must come before the XF rules.

You can move yours to below the 'RewriteEngine On' further down - there is no need to declare it twice.
 

Neutral Singh

Well-known member
#7
Ok, made some changes: Does it make sense now? And, is the part in red correct? Please advice.

Code:
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

DirectoryIndex 403.shtml index.php homepage.php index.php
php_flag register_globals off

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    RewriteRule /sitemap/ ^sitemap\.php$ [R=301,L]
    #    RewriteRule ^members/([^\.]+)\.html$ /member_redirect.php?username=$1 [R=301,L]
    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
    RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]

    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /threads/$1/ [R=301,L]
    RewriteRule ^attachments/[^/]+/([0-9]+)d.+$ /attachments/$1/ [R=301,L]
    RewriteRule ^memberlist\.html$ /members/ [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(sponsor-sikh-philosophy-network)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(banner-option)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(stats)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(other-services)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(daily-hukumnama)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(gurmukhi-fonts)$
    RewriteRule ^view\.php$ /pages/download-%2/? [R=301,L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]

</IfModule>
 

fly

Active member
#9
Thanks! How did you find out so quickly...

In one of the images, the path was mentioned like http:// in the template, however in the other url starts like /images/path/to/image.png

The condition still persists...

I think .htaccess also needs some edits... any pointer...
In Chrome, press F12 to open the developer console, switch to the security tab, and check the warnings.
 

Neutral Singh

Well-known member
#11
because that tells me, whatever is being loaded, force it to http, not https
Actually, in my last post, where i mentioned the text in red, i was referring to this part only. However i just noticed, the red colored text is not showing in Code... so, ideally, it should be https:// ? right?


RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 

xenfans

Well-known member
#13
My point in all these threads I have seen this month where people ask "why doesn't it go to https", I keep pointing out they are "forcing" to rewrite it to http, not https. I don't get it when people want httpS, that they force it to be http, .. maybe this visual debug approach will help:

let's take it part by part:
Screen Shot 2017-05-15 at 23.22.01.png

the other part:
Screen Shot 2017-05-15 at 23.22.52.png

and then both together:
Screen Shot 2017-05-15 at 23.23.25.png

If it needs to be https, don't force it to http, ..
 

xenfans

Well-known member
#14
The rewrite rules should clean up the url as it runs into it.
If the host is http, rewrite it to https,
whatever the host is, if it has www. as a prefix, strip it out.
If it's any of the aliass domains, 301 it to it's matching url on https, without www.
And then the xenforo stuff below it.

If the rewrite engine is on, and the condition of https is off, OR the condition of whatever host has www in it, rewrite it to our preference, https://without-www*/* as a perm 301 redirect

And leave your URL out of it, so you can change url in the future, and even add conditionals for alias domainds like singular, plural, alternative .club or .org .. etc

Code:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
These 2 are the condition. (this) OR (that)

The next line is to avoid referencing the hostname directly in the URL, it's %1 later.

The flags in the last line (that composes it together)

NE = (no escape) special characters
R= HTTP 301 redirect status
L= redirect immediately

(Since xenforo has their own rules, NE and L might need to be verified by @Mike or something)

SO, situation in url schemes we're getting:

http://www.example.com
https://www.example.com
http://example.com

They get rewritten to https://example.com

And sorry if my other post sounded a bit mean, didn't mean it as such.

Oh, and if you really want to force the URL scheme (and not use the same htaccess on all your hosted sites)
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]

Screen Shot 2017-05-15 at 23.34.04.png Screen Shot 2017-05-15 at 23.34.29.png Screen Shot 2017-05-15 at 23.36.30.png
 
Last edited:

Neutral Singh

Well-known member
#15
Wow! Thank you for being so patient while providing a full blown explanation... :)

So, in short, I should replace these rules:
Code:
RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
With these rules for good!
Code:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
Please confirm.

Thank you so much! :)
 

Neutral Singh

Well-known member
#16
In Chrome, press F12 to open the developer console, switch to the security tab, and check the warnings.
Changed the path of both of the images to https:// but still it is showing up as not secure... what else i should be worried about to make a safe connection happen... Thank you
 

xenfans

Well-known member
#19
If you however DO want the www. to be included by force;
Code:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]