XenForo, always use SSL?

JordanH

Well-known member
Ok, so I'm trying to get an SSL to work on my forum (www.GamingSection.net) and I want the forum and all of its content to always load in https:// How can this be done well also always having the www. infront of it.

I looked in the XenForo backend, there is no where to check off saying to use SSL or even if you put https:// as your forum url, if someone loads the site from just http:// it won't switch over.

So question is, how can I get SSL to work with XenForo? & to always load in SSL
 
Do you need SSL? Does your forum deal in sensitive information that needs to be encrypted?

You can add the red code to your .htaccess file to force ssl:

Rich (BB code):
#	Mod_security can interfere with uploading of content such as attachments. If you
#	cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#	SecFilterEngine Off
#	SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
	RewriteEngine On

	RewriteCond %{SERVER_PORT} 80
	RewriteRule ^(.*)$ https://yoursite.com/forum/$1 [R,L]

	#	If you are having problems with the rewrite rules, remove the "#" from the
	#	line that begins "RewriteBase" below. You will also have to change the path
	#	of the rewrite to reflect the path to your XenForo installation.
	#RewriteBase /xenforo

	#	This line may be needed to enable WebDAV editing with PHP as a CGI.
	#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>
 
Allright thanks, but if you enforce the www. for the following code:

Code:
RewriteCond %{HTTP_HOST} !^www\.yoursite\.com$[/S]
[S]    RewriteRule ^(.*)$ http://www.yoursite.com/forum/$1 [R=301,L]

Would I need to put https://www.yoursite.com ? or leave it as http://

Also I have no sub forum its just my domain, no /forum :p


Ok, thanks I got it all working all nice now. Thanks for the help :D
 
Do you need SSL? Does your forum deal in sensitive information that needs to be encrypted?

You can add the red code to your .htaccess file to force ssl:

Rich (BB code):
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://yoursite.com/forum/$1 [R,L]

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

Hello Jake,

When I use this .htaccess file on my SSL apache server, I have 404 errors not found pages for any URL when I use SEO friendly URLs.

Any ideas ?

(cc @digitalpoint, @Slavik).

Best regards.
 
This is how I did it for my /shop directory when using Apache

Code:
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

EDIT: just seen your reply, I took too long to hit Post Reply
 
Old thread but it was the one that I found which forces http to https and also provides www to non-www. I have a site which does this and the above worked but one problem -- if directed to the home page, it redirected to the forum directory e.g. yoursite.com goes to yoursite.com/forum/ with the above code. I'm not sure this is correct but it worked. I'm pretty good but confirming with my guru.... or Jake can pipe in. :D

Code:
    # Redirect all non-ssl to ssl.
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://site.com/$1  [R=301,L]

    RewriteCond %{HTTP_HOST} ^www.site.com$
    RewriteRule ^(.*) http://site.com/$1  [QSA,L,R=301]
 
Last edited:
@Jake Bunce - Thanks for directing me to this thread. Just so I understand how to implement SSL on the entire domain. Is this all?

- Have my web host install an SSL cert
- Options > Basic Board Info: set Board URL as https://domain.com
- Modify .htaccess to force SSL (as noted in the red code above)

Do I also need to add the following to /library/config.php?
Code:
$_SERVER['HTTPS'] = 'on';

Someone mentioned also changing all internal links to read “https” in place of “http” — is that required as well? Not sure how to do that.

Thank you, I am just catching up on the whole HTTPS thing. :eek:

P.S. I also understand that I will need to enable "Proxy Images" in XF to allow images in posts to work under HTTPS. Is that right? what about other images on the site? Pardon my ignorance but I have a pretty active site and I want to make sure I am doing things right the first time.
 
Last edited:
@stacy.c

You got it all, except the $_SERVER var isn't necessary (should be set automatically) assuming your server is correctly configured.

Proxy, yes. "Other" images no action required. Internal links not necessary to update as they will be redirected.
 
One other question if I may.

I have heard that it is best to just enable SSL across the entire domain rather than isolating it to the payment page (which is where I really need it). However, speaking with my web host this morning he said the additional overhead from encrypting/decrypting every page request would put an unnecessary load on my server, and perhaps on the user experience as well. This makes sense to me on the face of it, but I am really just trying to understand if that is the case or not. My XF site gets about 400k monthly page views, and that will increase quite a bit in the coming weeks as college football season gets underway, so I want to handle this optimally for performance.

Is there a meaningful performance hit with HTTPS enabled on all pages? Is there a resource I should look at to understand this better?

Thank you.
 
Top Bottom