xfpoint

XenForo Resource Site with Tips, Tricks and Hacks

You are here: Home / Guides / How to Switch An Existing XenForo Setup to Secured SSL (HTTPS)

How to Switch An Existing XenForo Setup to Secured SSL (HTTPS)

by

A step by step guide to switching an existing XenForo installation from HTTP to HTTPS aka from http://domainname to https://domainname

Also, check out How to Move XenForo to a New Domain or How to Move XenForo To New Host.

Step 1. SSL Certificate

The first step is to get an SSL certificate for the domain or sub-domain. Many hosts provide free SSL for one domain. Get in touch with the host to see if you are eligible for a free SSL certificate and if you aren’t you may need to first purchase the SSL certificate and install it on the server. Here is a guide to installing an SSL certificate.

Once the SSL certificate is installed for the domain, accessing the site HTTPS://DomainName shouldn’t display a security warning.

Step 2. XenForo Configuration for HTTPS

Make changes to the XenForo configuration as follows.

URLs

Change the forum URL at Admin CP > Options > Basic Board Information: Board URL from http://domainname to https://domainname.

If you have set Home Page URL, change it to an HTTPS-based url. Also if you are using custom URLs for privacy policy, terms and rules, and contact it is recommended to update them as well.

Style Paths

Search templates to see if any of the images or JavaScript are hard-coded to an HTTP based url. Search templates for src="http://

For stylesheets search href="http://.

Ideally, XenForo style should have used the image path either relative to the forum or via the @imagePath variable but to make sure there aren’t any static content directly linked via the HTTP-based url.

Note: The above search will also include templates page nodes’ HTML. If you have any node’s HTML that embeds a non-https version of image, JavaScript or CSS, update them via the node interface instead of editing the template.

Misc HTML

XenForo can contain HTML in descriptions. Verify there aren’t images embedded in them via a hard-coded HTTP based url.

  • Forum Description – Forum description can contain HTML and often it may contain some forum sponsor banners or images. Check if they aren’t HTTP based url.
  • Notices – Check all the notices HTML to see there are any buttons that are hard-coded HTTP URLs.
  • Help Pages – Help pages can have HTML. Make sure images, CSS and JavaScript in Help Pages are changed from HTTP to HTTPS.
  • User Upgrades – User upgrades can contain HTML and often contains banners for better conversion. Make sure those image URLs are all switched over to HTTPS
  • Widgets – Widget framework is one such plugin that is a must for every XenForo. Check HTML widgets for any HTTP-based URLs for images, JavaScript or CSS.

It should be enough for the home page and the forum pages to load HTTPS with a green padlock.

It means all the content (Images, JavaScript and CSS as well as the images in the CSS) are being served over an HTTPS.

Step 3. Post Content

Users may have embedded content from the non-HTTPS and so one has to update the existing user content to replace the URLs of the old HTTP-based URLs to new HTTPS-based URLs. We will use the Post Content Find / Replace. A guide on how you can install the plugin is here.

The plugin adds an option under Admin > Tools > Replace In Posts.

  • In quickfind use: http://domainname
  • In Regular expression use: #http\:\/\/domainname\.com#siU
  • In Replacement String use: https://domainname.com

Unticked “Save Changes” will only do a dry run. Once things look as expected, tick “Save Changes” to write the changes in the database. This should change all the reference to the http://domainname in each post to the https://domainname. There is no undo to this action, so “Save Changes” only when you are more than 100% sure about it.

Image Proxy

We have changed the post content that embeds or links to our domain to an HTTPS-based URLs. Other domains may not always be on HTTPS and so to avoid mixed content errors for such embeds, XenForo provides an image proxy.

Enable Image proxy in Admin CP > Options > Messages > Image and Link Proxy: Proxy Images.

Provide a hard to guess “Image and Link Proxy Secret Key”. For HTTPS we only need to enable Proxy Images and don’t need to enable “Proxy Links”.

Step 4. Enforcing HTTPS

You don’t want the site to be accessible on HTTP://DomainName as well as HTTPS://DomainName. So you want the HTTP-version of the site to be redirected to HTTPS version of the site. Add the following line of code in the .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>
view raw .htaccess hosted with ❤ by GitHub

If you are using SEO friendly URLs, the above lines can be the at the beginning of the htaccess file.

Once you enforce the URLs, the non-https URLs will redirect to the https version of it and so you may need to update the site URLs for

  • PayPal IPN – If you have a paid membership setup, a PayPal IPN notification is used for members PayPal subscription payment. The HTTP-based url in PayPal IPN should be changed to HTTPS-based URL or else the paid membership functionality may be broken and users upgrade may not function as expected.
  • Social Media Integration – Each of FaceBook, Twitter and Google+ apps need a change in website URL from HTTP to HTTPS-based URL.

Finally, remember Google Webmaster Tools treats HTTP and HTTPS based website as different. So add https based website yet again as new web property in GWT.