Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

SSL support for self hosted forum

I have a self hosted Vanilla forum. My hosting has builtin support for letsencrypt free SSL certificates. I have enabled this letsencrypt support in the hosting and added following changes:

  • in config.php file

$Configuration['Garden']['AllowSSL'] = TRUE; $Configuration['Garden']['ForceSSL']=TRUE;

  • in .htaccess file

<IfModule mod_rewrite.c> RewriteEngine On # Certain hosts may require the following line. # If vanilla is in a subfolder then you need to specify it after the /. # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum) RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule>

All my forum links redirect to https now but the site doesn't show as secure/ssl verified. Any help would be appreciated.

(Note: I have other wordpress sites hosted on the same hosting with letsencrypt enabled and they work just fine with above 2 settings.)

Comments

  • LincLinc Director of Development Detroit Vanilla Staff

    I am unclear why you made changes to your .htaccess file. That should not be necessary. I would roll back those changes as a first step.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @Linc said:
    I am unclear why you made changes to your .htaccess file. That should not be necessary. I >would roll back those changes as a first step.

    I believe he did this:

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

    This is a common advise found on the net like stackoverflow.. but this is not necessary to do because Vanilla already is SSL friendly. You need to check your configuration because SSL works automatically without any need to alter htaccess for Vanilla. Unless your host has something to do with it. Then I would ask the host to fix it.

  • edited March 2017

    @Linc said:
    I am unclear why you made changes to your .htaccess file. That should not be necessary. I would roll back those changes as a first step.

    I have rolled back the changes from .htaccess file. For record I have attached the txt file.

    @vrijvlinder said:

    This is a common advise found on the net like stackoverflow.. but this is not necessary to do because Vanilla already is SSL friendly. You need to check your configuration because SSL works automatically without any need to alter htaccess for Vanilla. Unless your host has something to do with it. Then I would ask the host to fix it.

    So all I have got now is this change in the in config.php file
    $Configuration['Garden']['AllowSSL'] = TRUE; $Configuration['Garden']['ForceSSL']=TRUE;

    These changes has not made any difference.

    Just to note enabling Letsencrypt certificates and redirecting http to https in .htaccess is all it takes for my wordpress site on this hosting, dint need any other setting. Attached pics of bot the sites for reference.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Do you have a link to the site ?

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Remove all the content inside your htaccess file for Vanilla and try adding this into it instead.

    # Modified
    # If you modify this file then change the above line to: # Modified
    <IfModule mod_rewrite.c>
       RewriteEngine On
       # Certain hosts may require the following line.
       # If vanilla is in a subfolder then you need to specify it after the /. 
       # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
       RewriteBase /
       RewriteCond %{HTTPS} !=on
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    </IfModule>
    
  • Thanks for your help @Linc and @vrijvlinder. My issue is resolved to some extent. I had enabled the letsencrypt https on my domain before installing the forum. I have disabled letsencrypt and enabled or reinstalled it again in my hosting and that now brings up the https://domain.com as a secure site.

    However, domain.com doesnt redirect or auto fetch the secure site. It only shows http and if i manually type https it shows secure site.

    I have tried enabling the https redirection in .htacces with no success. Any pointers ???

  • edited March 2017

    my site is at electronicsforum.in

    with just this in the .htaccess file i get a 500 internal server error.
    `# Modified

    If you modify this file then change the above line to: # Modified


    RewriteEngine On
    # Certain hosts may require the following line.
    # If vanilla is in a subfolder then you need to specify it after the /.
    # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
    RewriteBase /
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    `

  • edited March 2017

    ok sorry my bad.. there was a syntex error in my .htaccess file.. . with just

    # Modified # If you modify this file then change the above line to: # Modified <IfModule mod_rewrite.c> RewriteEngine On # Certain hosts may require the following line. # If vanilla is in a subfolder then you need to specify it after the /. # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum) RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L] </IfModule>

    makes no difference. im still at type electronicsforum.in get http site and type https://electronicsforum.in get secure site. no auto redirection happening.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited March 2017

    I think the place where you need to do the redirects is at server level. You should have access to an htaccess editor where you can add rules to serve only encrypted files.

    SSL is working in Vanilla and on your site if the request is sent using https://
    However , it also serves the non encrypted version if you don't write it yourself. This is something you need to get your host to help you fix I believe. To not serve the non encrypted content.

    Please use this code inside your htaccess file and nothing else. Delete the contents and copy this bellow into it. Regardless of ssl or not , if you don't use this , you will have 404 errors all over and you won't be able to log in either.

    # Modified
      # If you modify this file then change the above line to: # Modified
    <IfModule mod_rewrite.c>
       RewriteEngine On
       # Certain hosts may require the following line.
       # If vanilla is in a subfolder then you need to specify it after the /. 
       # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
       RewriteBase /
        RewriteCond %{REQUEST_FILENAME} !-d
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    </IfModule>
    
  • x00x00 MVP
    edited March 2017

    @desai_amogh said:
    All my forum links redirect to https now but the site doesn't show as secure/ssl verified. Any help would be appreciated.

    Well that is is completely different issue. Do you have a signed certificate from a certificate authority for that domain?

    It is not under the control of Vanilla.

    grep is your friend.

  • x00x00 MVP
    edited March 2017

    -

    grep is your friend.

  • edited March 2017

    @vrijvlinder said:
    I think the place where you need to do the redirects is at server level. You should have access to an htaccess editor where you can add rules to serve only encrypted files.

    SSL is working in Vanilla and on your site if the request is sent using https://
    However , it also serves the non encrypted version if you don't write it yourself. This is something you need to get your host to help you fix I believe. To not serve the non encrypted content.

    Please use this code inside your htaccess file and nothing else. Delete the contents and copy this bellow into it. Regardless of ssl or not , if you don't use this , you will have 404 errors all over and you won't be able to log in either.

    # Modified
      # If you modify this file then change the above line to: # Modified
    <IfModule mod_rewrite.c>
       RewriteEngine On
       # Certain hosts may require the following line.
       # If vanilla is in a subfolder then you need to specify it after the /. 
       # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
       RewriteBase /
        RewriteCond %{REQUEST_FILENAME} !-d
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    </IfModule>
    

    @vrijvlinder after some more reading I am now able to get the naked domain or http url auto redirected to HTTPS. I added this right after the RewriteEngine On in your above example:

    `
    # Modified
    # If you modify this file then change the above line to: # Modified

    RewriteEngine On
    # Certain hosts may require the following line.
    # If vanilla is in a subfolder then you need to specify it after the /.
    # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
    **

    edit to original @vrijvlinder .htaccess

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    edit end**

    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]

    `

    So now my redirection works and http goes to https on site electronicsforum.in

    Question is, as you said earlier changing anything from your .htaccess might result in 404, Could you advise if I need to worry?? Also, with my above edit, could you suggest a fine .htaccess config for me which I can keep ?? (this is a smf to vanilla migrated forum and I also need to worry about 301 SEo stuff)

    I have checked some 10-15 links on my forum and all seem to redirect fine and only posts with embedded http images show as nonsecure, is there a fix for that ??

    vrijvlinder
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I have checked some 10-15 links on my forum and all seem to redirect fine and only posts with embedded http images show as nonsecure, is there a fix for that ??

    Yea that will be an issue because those images are not being served with encryption. Maybe make sure all the content is internal. But this will only affect browsers that block non secure content, like facebook..

  • KelxKelx New
    edited April 22

    Use in .htaccess

    <IfModule mod_rewrite.c>

     RewriteEngine On

     # Certain hosts may require the following line.

     # If vanilla is in a subfolder then you need to specify it after the /.

     # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)


     RewriteBase /forum

     RewriteCond %{REQUEST_FILENAME} !-d

     RewriteCond %{REQUEST_FILENAME} !-f

     RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]


    RewriteCond %{HTTPS} off

    RewriteCond %{HTTP_HOST} !^name.com/forum$ [NC]

    RewriteRule ^(.*)$ https://name.com/forum/$1 [L,R=301]

    </IfModule>

Sign In or Register to comment.