xfpoint

How to Switch An Existing XenForo Setup to Secured SSL (HTTPS)

A step by step guide to switching an existing XenForo installation from HTTP to HTTPS aka from http://domainname to https://domainname

Also, check out How to Move XenForo to a New Domain or How to Move XenForo To New Host.

Step 1. SSL Certificate

The first step is to get an SSL certificate for the domain or sub-domain. Many hosts provide free SSL for one domain. Get in touch with the host to see if you are eligible for a free SSL certificate and if you aren’t you may need to first purchase the SSL certificate and install it on the server. Here is a guide to installing an SSL certificate.

Once the SSL certificate is installed for the domain, accessing the site HTTPS://DomainName shouldn’t display a security warning.

Step 2. XenForo Configuration for HTTPS

Make changes to the XenForo configuration as follows.

URLs

Change the forum URL at Admin CP > Options > Basic Board Information: Board URL from http://domainname to https://domainname.

If you have set Home Page URL, change it to an HTTPS-based url. Also if you are using custom URLs for privacy policy, terms and rules, and contact it is recommended to update them as well.

Style Paths

Search templates to see if any of the images or JavaScript are hard-coded to an HTTP based url. Search templates for src="http://

For stylesheets search href="http://.

Ideally, XenForo style should have used the image path either relative to the forum or via the @imagePath variable but to make sure there aren’t any static content directly linked via the HTTP-based url.

Note: The above search will also include templates page nodes’ HTML. If you have any node’s HTML that embeds a non-https version of image, JavaScript or CSS, update them via the node interface instead of editing the template.

Misc HTML

XenForo can contain HTML in descriptions. Verify there aren’t images embedded in them via a hard-coded HTTP based url.

It should be enough for the home page and the forum pages to load HTTPS with a green padlock.

It means all the content (Images, JavaScript and CSS as well as the images in the CSS) are being served over an HTTPS.

Step 3. Post Content

Users may have embedded content from the non-HTTPS and so one has to update the existing user content to replace the URLs of the old HTTP-based URLs to new HTTPS-based URLs. We will use the Post Content Find / Replace. A guide on how you can install the plugin is here.

The plugin adds an option under Admin > Tools > Replace In Posts.

Unticked “Save Changes” will only do a dry run. Once things look as expected, tick “Save Changes” to write the changes in the database. This should change all the reference to the http://domainname in each post to the https://domainname. There is no undo to this action, so “Save Changes” only when you are more than 100% sure about it.

Image Proxy

We have changed the post content that embeds or links to our domain to an HTTPS-based URLs. Other domains may not always be on HTTPS and so to avoid mixed content errors for such embeds, XenForo provides an image proxy.

Enable Image proxy in Admin CP > Options > Messages > Image and Link Proxy: Proxy Images.

Provide a hard to guess “Image and Link Proxy Secret Key”. For HTTPS we only need to enable Proxy Images and don’t need to enable “Proxy Links”.

Step 4. Enforcing HTTPS

You don’t want the site to be accessible on HTTP://DomainName as well as HTTPS://DomainName. So you want the HTTP-version of the site to be redirected to HTTPS version of the site. Add the following line of code in the .htaccess file.

If you are using SEO friendly URLs, the above lines can be the at the beginning of the htaccess file.

Once you enforce the URLs, the non-https URLs will redirect to the https version of it and so you may need to update the site URLs for

Finally, remember Google Webmaster Tools treats HTTP and HTTPS based website as different. So add https based website yet again as new web property in GWT.

Exit mobile version