Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Having problems with an SSL only install

Greetings -

I'm trying to install Vanilla 2.0 on an SSL only site. If I have the HTTP site simply redirect to the HTTPS site then functions like login fail to function and give an empty popup box. You also cannot use most of the admin area, as it tries to direct to the HTTP version of the site and then times out in a redirect loop. I have the SSLControllers plugin installed, and that seems to help. I'm thinking there is some config option that I haven't thrown yet. If I enable serving of Vanilla over HTTP and HTTPS, it bounces back between secure and insecure all the time. Any suggestions/pointers?




  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    do you have this in your config.php?

    $Configuration['Garden']['AllowSSL'] = TRUE;

  • Options

    No, I had $Configuration['Garden']['SSL'] = TRUE; but not AllowSSL. I added that, but it doesn't seem to help. Simply going to the main page of the forum over SSL redirects to a non-SSL page :(

  • Options
    AdrianAdrian Wandering Spirit Montreal MVP
    edited January 2014

    Try to make a change to your .Htaccess

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • Options

    I had a rewrite rule like that, mine was giving a 302 instead of a 301 but I doubt that would fix it. Apache would redirect to the https site as expected, and then vanilla would redirect back to the http site. This would cause a redirect loop, and chrome would give me the "redirect loop" error page after a few seconds. To get around this, I temporarily have the site available over http and https. Any other ideas?

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    I used some of this for a different purpose , to force to serve https maybe some will help you

    You may be able to use rewrite rules to make the urls that are not https to be so
    To use Apache mod_rewrite to control whether a page is served via http or https. Here's an example  from a site's root directory .htaccess file:
    # Redirect most reqests for http to https
    RewriteRule ^*)$1 [R=301,NC]
    # Allow some URIs to be https if requested
    RewriteCond   %{SERVER_PORT}  ^443$
    RewriteCond   %{REQUEST_URI}  !^/images/(.*)$
    RewriteCond   %{REQUEST_URI}  !^/scripts/(.*)$
    RewriteCond   %{REQUEST_URI}  !^/styles/(.*)$
    RewriteCond   %{REQUEST_URI}  !^/store(.*)$
    RewriteCond   %{REQUEST_URI}  !^/login.htm$
    RewriteRule ^(.*)$1 [L,R]
    # Force some URIs to be https only
    RewriteCond   %{SERVER_PORT}  ^80$
    RewriteRule ^store(.*)$1 [L,R]
    RewriteCond   %{SERVER_PORT}  ^80$
    RewriteRule ^FormSanityKey.htm$1 [L,R]\\
  • Options

    Irony of all ironies: disabling the SSLController plugin solved the problem. The site now works correctly over SSL. How strange. ::shrug::

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    It is good procedure to disable any plugins associated with the issue first, in order to determine it was at fault or if it is something else :)

Sign In or Register to comment.