1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo, always use SSL?

Discussion in 'XenForo Questions and Support' started by JordanH, Sep 13, 2012.

  1. JordanH

    JordanH Well-Known Member

    Ok, so I'm trying to get an SSL to work on my forum (www.GamingSection.net) and I want the forum and all of its content to always load in https:// How can this be done well also always having the www. infront of it.

    I looked in the XenForo backend, there is no where to check off saying to use SSL or even if you put https:// as your forum url, if someone loads the site from just http:// it won't switch over.

    So question is, how can I get SSL to work with XenForo? & to always load in SSL
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Do you need SSL? Does your forum deal in sensitive information that needs to be encrypted?

    You can add the red code to your .htaccess file to force ssl:

    #	Mod_security can interfere with uploading of content such as attachments. If you
    #	cannot attach files, remove the "#" from the lines below.
    #<IfModule mod_security.c>
    #	SecFilterEngine Off
    #	SecFilterScanPOST Off
    ErrorDocument 401 default
    ErrorDocument 403 default
    ErrorDocument 404 default
    ErrorDocument 500 default
    <IfModule mod_rewrite.c>
    	RewriteEngine On
    	RewriteCond %{SERVER_PORT} 80
    	RewriteRule ^(.*)$ https://yoursite.com/forum/$1 [R,L]
    	#	If you are having problems with the rewrite rules, remove the "#" from the
    	#	line that begins "RewriteBase" below. You will also have to change the path
    	#	of the rewrite to reflect the path to your XenForo installation.
    	#RewriteBase /xenforo
    	#	This line may be needed to enable WebDAV editing with PHP as a CGI.
    	#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    	RewriteCond %{REQUEST_FILENAME} -f [OR]
    	RewriteCond %{REQUEST_FILENAME} -l [OR]
    	RewriteCond %{REQUEST_FILENAME} -d
    	RewriteRule ^.*$ - [NC,L]
    	RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    	RewriteRule ^.*$ index.php [NC,L]
  3. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

  4. JordanH

    JordanH Well-Known Member

    Allright thanks, but if you enforce the www. for the following code:

    RewriteCond %{HTTP_HOST} !^www\.yoursite\.com$[/S]
    [S]    RewriteRule ^(.*)$ http://www.yoursite.com/forum/$1 [R=301,L]

    Would I need to put https://www.yoursite.com ? or leave it as http://

    Also I have no sub forum its just my domain, no /forum :p

    Ok, thanks I got it all working all nice now. Thanks for the help :D
  5. DRE

    DRE Well-Known Member

    JordanH likes this.
  6. allewreK

    allewreK Active Member

    Hello Jake,

    When I use this .htaccess file on my SSL apache server, I have 404 errors not found pages for any URL when I use SEO friendly URLs.

    Any ideas ?

    (cc @digitalpoint, @Slavik).

    Best regards.
  7. allewreK

    allewreK Active Member

    Nevermind, I forgot to enable .htaccess files for the default-ssl file of apache (AllowOverride all).
  8. MattW

    MattW Well-Known Member

    This is how I did it for my /shop directory when using Apache

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    EDIT: just seen your reply, I took too long to hit Post Reply
    rafass likes this.
  9. Deepmartini

    Deepmartini Well-Known Member

    What about the www redirect to non www? That's always an issue with google thinking you have 2 sites.
  10. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

  11. Null

    Null Well-Known Member

  12. TheLaw

    TheLaw Well-Known Member

    Old thread but it was the one that I found which forces http to https and also provides www to non-www. I have a site which does this and the above worked but one problem -- if directed to the home page, it redirected to the forum directory e.g. yoursite.com goes to yoursite.com/forum/ with the above code. I'm not sure this is correct but it worked. I'm pretty good but confirming with my guru.... or Jake can pipe in. :D

        # Redirect all non-ssl to ssl.
        RewriteCond %{HTTPS} off
        RewriteRule ^(.*)$ https://site.com/$1  [R=301,L]
        RewriteCond %{HTTP_HOST} ^www.site.com$
        RewriteRule ^(.*) http://site.com/$1  [QSA,L,R=301]
    Last edited: Jan 21, 2015
  13. Glockie

    Glockie Well-Known Member

    Okay safe to ignore,. I had a malformed conditional tag :p
    Thanks anyway.
    This thread is very useful. (y)
    Last edited: Sep 3, 2015
  14. stacy.c

    stacy.c Member

    @Jake Bunce - Thanks for directing me to this thread. Just so I understand how to implement SSL on the entire domain. Is this all?

    - Have my web host install an SSL cert
    - Options > Basic Board Info: set Board URL as https://domain.com
    - Modify .htaccess to force SSL (as noted in the red code above)

    Do I also need to add the following to /library/config.php?
    $_SERVER['HTTPS'] = 'on';
    Someone mentioned also changing all internal links to read “https” in place of “http” — is that required as well? Not sure how to do that.

    Thank you, I am just catching up on the whole HTTPS thing. :eek:

    P.S. I also understand that I will need to enable "Proxy Images" in XF to allow images in posts to work under HTTPS. Is that right? what about other images on the site? Pardon my ignorance but I have a pretty active site and I want to make sure I am doing things right the first time.
    Last edited: Aug 15, 2016
  15. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member


    You got it all, except the $_SERVER var isn't necessary (should be set automatically) assuming your server is correctly configured.

    Proxy, yes. "Other" images no action required. Internal links not necessary to update as they will be redirected.
    stacy.c likes this.
  16. stacy.c

    stacy.c Member

  17. stacy.c

    stacy.c Member

    One other question if I may.

    I have heard that it is best to just enable SSL across the entire domain rather than isolating it to the payment page (which is where I really need it). However, speaking with my web host this morning he said the additional overhead from encrypting/decrypting every page request would put an unnecessary load on my server, and perhaps on the user experience as well. This makes sense to me on the face of it, but I am really just trying to understand if that is the case or not. My XF site gets about 400k monthly page views, and that will increase quite a bit in the coming weeks as college football season gets underway, so I want to handle this optimally for performance.

    Is there a meaningful performance hit with HTTPS enabled on all pages? Is there a resource I should look at to understand this better?

    Thank you.
  18. Brogan

    Brogan XenForo Moderator Staff Member

  19. stacy.c

    stacy.c Member

    If I only want to force HTTPS on the account-related pages (/account/password, /account/privacy, etc) would this do it?

    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://yoursite.com/account/$1 [R,L]
  20. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Upon visiting one of those pages, all subsequent internal links would be https. You might as well just enforce it for all URLs.

Share This Page