How to enable full ssl
by
17 Feb 2018
Rating: (3 votes
- 5.00 average)
I'll be discussing how to enable full ssl and how to block unsecure content here.
The first big thing to do comes from a https://www.vbulletin.com/forum/articles/4361080-converting-your-forum-to-https and is revised a bit.
Quote by https://www.vbulletin.com/forum/articles/4361080-converting-your-forum-to-https
vBulletin 3
Go to vBulletin Options > vBulletin Options > Site Name / URL / Contact Details.
Edit 'Forum URL' and add the 's' into the URL.
For example, if your URL is http://www.contoso.com/forum, change it to https://www.contoso.com/forum
Then go to Settings > vBulletin Options > vBulletin Options > Server Settings & Optimization Options > Use Remote YUI
Set this to None.
vBulletin 4
Go to Settings > Options > Site Name / URL / Contact Details.
Edit 'Forum URL' and add the 's' into the URL.
For example, if your URL is http://www.contoso.com/forum, change it to https://www.contoso.com/forum
Then go to Settings > Options > Server Settings & Optimization Options > Use Remote YUI
Set this to None.
vBulletin 5
Go to vBulletin Options > vBulletin Options > Site Name / URL / Contact Details.
Edit these three settings: 'vBulletin URL'; 'Login URL'; 'Core URL' and add the 's' into the URL.
For example, if your URL is http://www.contoso.com/forum, change it to https://www.contoso.com/forum
NOTE: Do not remove the word 'core' at the end of the core URL. You will break your site!
All Versions
Then go to Settings > Options > Server Settings & Optimization Options > Use Remote jQuery
Set this to None.
The key to all three vBulletin versions is that all you do in the URL settings is change http to https. Do not alter any other part of the URL.
Once you have changed these settings, go to AdminCP > Maintenance > General Update Tools, and rebuild the styles. (In vB3 this is AdminCP > Maintenance > Update Counters). Leave the default settings and just run this update tool.
After you get this done, you want to set a rewrite rule in htaccess.
This is what I use to rewrite http to https.
Code:
RewriteEngine on
#Options +FollowSymLinks
################https##############
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
################https##############
Next go to cloudflare and enable these settings (under Crypto)
* SSL - Full
* Edge Certificates - make one "The certificates in the pack listed below are managed and auto-renewed by Cloudflare."
*HSTS
Code:
HTTP Strict Transport Security (HSTS)
Enforce web security policy for your website.
Status: On
Max-Age: 12 months
Include subdomains: On
Preload: On
No-sniff: On
* Require Modern TLS - On
* Opportunistic Encryption - On
* TLS 1.3 - Enabled+0RTT
* Automatic HTTPS Rewrites - On
Why Should I use Automatic HTTPS Rewrites?
If your site contains links or references to HTTP URLs that are also available securely via HTTPS, Automatic HTTPS Rewrites can help. If you connect to your site over HTTPS and the lock icon is not present, or has a yellow warning triangle on it, your site may contain references to HTTP assets (mixed content).
Mixed content is often due to factors not under the website owners control such as embedded third-party content or complex content management systems. By rewriting URLs from http to https, Automatic HTTPS Rewrites simplifies the task of making your entire website available over HTTPS, helping to eliminate mixed content errors and ensuring that all data loaded by your website is protected from eavesdropping and tampering.
Does Automatic HTTPS Rewrites fix all mixed content errors?
No. Only URLs that are known to support HTTPS will be rewritten. We use data from EFFs HTTPS Everywhere and Chromes HSTS preload list, among others, to identify which domains support HTTPS. If your zone is not on one of these lists, only active content will be rewritten. Passive content (such as images) will not be rewritten and will still cause mixed content errors.
That does it for cloudflare, after doing all of the above, your site is ready for SSL!
*Important! One last thing to do to ensure full SSL compatability is making sure that no insecure requests come through, this is how to do it with a description of what it does in the link.
Pop this in your headerincludes
Code:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
One extra thing that I do is use this mod. It fetches external images and serves them locally, meaning that they will not violate the mixed content policy due to the rewrite we did earlier.
There is also another mod that you can use to locally serve insecure (http) images.
IMG Cacher - SSL Keeper - Mixed Content Block Solution
CKEditor Loading Issues:
For users experiencing loading issues of ckeditor on vbulletin 4 with https enabled while using Chrome, here is a fix.
https://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4378500-wysiwyg-editor-no-longer-after-works-after-converting-forum-to-https?p=4378752#post4378752
|