SSL connection is not fully secure on my domain...

Neutral Singh

Well-known member
Just configured SSL certificate on my server and I'm seeing this:

https://www.sslshopper.com/ssl-checker.html#hostname=www.sikhphilosophy.net

...it looks like the SSL certificate valid/working fine on the server side...

However, when I visit the site, https doesn't seem to be "fully secure" -

not secure SSL.webp not secure SSL-SPN.webp

  1. How do i configure the forum script side to get Secure Connection message as it shows in xenforo.com?
  2. What should I edit in the .htaccess to make it fully secure for my users... so that the domain points to https://www.sikhphilosophy.net?
  3. And, would changing to https have an adverse affect on the page rankings?
Please advice.

htaccess - SPN.webp
 
Thanks! How did you find out so quickly...

In one of the images, the path was mentioned like http:// in the template, however in the other url starts like /images/path/to/image.png

The condition still persists...

I think .htaccess also needs some edits... any pointer...
 
Thanks @Brogan!

In my .htaccess file, the following commands are at the top, which forces the browsers to permanently point to www.sikhphilosophy.net instead of sikhphilosophy.net ... do these command still remain on the top and/or do these need any edits?

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]

Thank you

htaccess - SPN.webp
 
Any custom rewrite rules must come before the XF rules.

You can move yours to below the 'RewriteEngine On' further down - there is no need to declare it twice.
 
Ok, made some changes: Does it make sense now? And, is the part in red correct? Please advice.

Code:
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

DirectoryIndex 403.shtml index.php homepage.php index.php
php_flag register_globals off

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    RewriteRule /sitemap/ ^sitemap\.php$ [R=301,L]
    #    RewriteRule ^members/([^\.]+)\.html$ /member_redirect.php?username=$1 [R=301,L]
    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
    RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]

    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteRule ^[^/]+/([0-9]+)-[^\.]+\.html$ /threads/$1/ [R=301,L]
    RewriteRule ^attachments/[^/]+/([0-9]+)d.+$ /attachments/$1/ [R=301,L]
    RewriteRule ^memberlist\.html$ /members/ [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(sponsor-sikh-philosophy-network)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(banner-option)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(stats)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(other-services)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(daily-hukumnama)$
    RewriteRule ^view\.php$ /pages/%2/? [R=301,L]
    RewriteCond %{QUERY_STRING} (^|\?)pg=(gurmukhi-fonts)$
    RewriteRule ^view\.php$ /pages/download-%2/? [R=301,L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]

</IfModule>
 
Thanks! How did you find out so quickly...

In one of the images, the path was mentioned like http:// in the template, however in the other url starts like /images/path/to/image.png

The condition still persists...

I think .htaccess also needs some edits... any pointer...
In Chrome, press F12 to open the developer console, switch to the security tab, and check the warnings.
 
because that tells me, whatever is being loaded, force it to http, not https

Actually, in my last post, where i mentioned the text in red, i was referring to this part only. However i just noticed, the red colored text is not showing in Code... so, ideally, it should be https:// ? right?


RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
For reference, if you want text inside code blocks to show formatting, add the rich parameter.

[*CODE=RICH][*COLOR=#ff0000]Red text.[/COLOR][/CODE]

Rich (BB code):
Red text.
 
My point in all these threads I have seen this month where people ask "why doesn't it go to https", I keep pointing out they are "forcing" to rewrite it to http, not https. I don't get it when people want httpS, that they force it to be http, .. maybe this visual debug approach will help:

let's take it part by part:
Screen Shot 2017-05-15 at 23.22.01.webp

the other part:
Screen Shot 2017-05-15 at 23.22.52.webp

and then both together:
Screen Shot 2017-05-15 at 23.23.25.webp

If it needs to be https, don't force it to http, ..
 
The rewrite rules should clean up the url as it runs into it.
If the host is http, rewrite it to https,
whatever the host is, if it has www. as a prefix, strip it out.
If it's any of the aliass domains, 301 it to it's matching url on https, without www.
And then the xenforo stuff below it.

If the rewrite engine is on, and the condition of https is off, OR the condition of whatever host has www in it, rewrite it to our preference, https://without-www*/* as a perm 301 redirect

And leave your URL out of it, so you can change url in the future, and even add conditionals for alias domainds like singular, plural, alternative .club or .org .. etc

Code:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
These 2 are the condition. (this) OR (that)

The next line is to avoid referencing the hostname directly in the URL, it's %1 later.

The flags in the last line (that composes it together)

NE = (no escape) special characters
R= HTTP 301 redirect status
L= redirect immediately

(Since xenforo has their own rules, NE and L might need to be verified by @Mike or something)

SO, situation in url schemes we're getting:

http://www.example.com
https://www.example.com
http://example.com

They get rewritten to https://example.com

And sorry if my other post sounded a bit mean, didn't mean it as such.

Oh, and if you really want to force the URL scheme (and not use the same htaccess on all your hosted sites)
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]

Screen Shot 2017-05-15 at 23.34.04.webp Screen Shot 2017-05-15 at 23.34.29.webp Screen Shot 2017-05-15 at 23.36.30.webp
 
Last edited:
Wow! Thank you for being so patient while providing a full blown explanation... :-)

So, in short, I should replace these rules:
Code:
RewriteCond %{HTTP_HOST} !^www\.sikhphilosophy\.net
RewriteRule (.*) http://www.sikhphilosophy.net/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

With these rules for good!
Code:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Please confirm.

Thank you so much! :)
 
In Chrome, press F12 to open the developer console, switch to the security tab, and check the warnings.

Changed the path of both of the images to https:// but still it is showing up as not secure... what else i should be worried about to make a safe connection happen... Thank you
 
If you however DO want the www. to be included by force;
Code:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]
 
Top Bottom