Register Arama Bugünkü Mesajlar Mark Forums Read

Reply
 
Thread Tools
How To Implement SSL To Secure HTTP Traffic (HTTPS) Detaylar »
How To Implement SSL To Secure HTTP Traffic (HTTPS)
 
TTayfun's Avatar
TTayfun
TTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant futureTTayfun has a brilliant future
Gerçek Ad: Tayfun T.
Kayıt Tarihi: Nov 2017
Mesajlar: 223

Güzergah: Istanbul Anadolu
Show Printable Version Email this Page
Makale: XenForo 1, yazar TTayfun 29 Dec 2017, 17:31

This guide should hopefully explain all of the steps required to switch an XF installation from using HTTP to HTTPS.
So for example, instead of the site URL being XenForo community it will be XenForo community.


What is HTTPS?
Essentially, HTTPS is a secure version of HTTP and while it isn't necessarily required for forums, there is a general push towards that direction due to increased security and Google now utilising HTTPS as a ranking signal, and it is relatively simple and cheap (even free) to implement.

Further information and reading is available at these links:
HTTPS - Wikipedia

Secure your site with HTTPS - Search Console Help
Official Google Webmaster Central Blog: HTTPS as a ranking signal

Sounds good, how do I implement it?
It's a two stage process.
The server needs to be configured to support HTTPS and serve the site over it, and the XF installation needs to be updated to ensure it is compliant.


Configuring the server
The first step is to install a certificate on the server.

Installing a certificate
There are several ways of achieving it, with varying levels of cost. You can:
purchase a certificate (costs vary)
use a free certificate from somewhere like Let's Encrypt - Free SSL/TLS Certificates (other providers are available)
use a certificate provided by your host (if available)
use a certificate provided by a service such as Cloudflare (if available)
This guide is not going to go into any detail regarding certificate installation as the specific implementation varies depending on your circumstances.
If you are unsure, contact your sysadmin or host, or post on the thread related to this resource and community support can be provided.

Force HTTPS
Once the certificate is installed, the next step is to force the use of HTTPS, so if any visitors navigate to any URLs using HTTP, they will be forwarded to the HTTPS equivalent.
If you are on an Apache server, that can be achieved by adding the following to the .htaccess file:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Depending on the server and the exact configuration, a variation of that may be required/preferred.
Note that any custom rewrite rules must come before the XenForo rewrite rules.

A standard .htaccess with those lines added would look like this:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Again, this differs based on the web server so it's something you will need to look into based on your specific circumstances.

Occasionally, a server may not set HTTPS automatically. You can check whether it is by navigating to /admin.php?tools/phpinfo and looking for this entry under the PHP Variables section:



If it does not say 'on', then it can be set by adding this to the end of the library/config.php file:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Like so:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

As far as the server is concerned, that's it.
The other steps relate to changes which need to be made in the XF installation and elsewhere.


Configuring the XF installation
There are several actions which must be taken and changes which must be made, but it will depend to some extent on the installation and how the forum is used. If, after making all of the necessary changes, the site does not appear secure, use the browser inspector to check which content is being loaded via HTTP. The browser inspector can typically be accessed by pressing F12 and then clicking the [Console] tab.

Board URL
The Board URL is one change which must be made for all installations.
That is changed in the ACP -> Options -> Basic Board Information: Board URL.
Simply change the existing URL to the HTTPS equivalent, e.g. from http://mysite to https://mysite.
The same applies to any other URLs on that page: the Home Page URL if set, the privacy policy URL, the terms and rules URL, and the contact URL, if custom URLS have been set.

Image Proxy
If embedding images from remote servers in posts is permitted, then the Image Proxy must be enabled.
If it is not, mixed content warnings will be produced when loading a page with an embedded image from a URL which is not HTTPS.
It can be enabled in the ACP -> Options -> Messages -> Image and Link Proxy: Proxy Images.
Further information regarding the feature is available here: XF 1.3 - EXIF Rotation, ACP Searching, Proxying and Change Logging

Note that there is no specific need to enable the link proxy, as far as HTTPS is concerned, as links are not embedded content in the same way images are.

Media Sites
Other embedded content which may need to be changed concerns media sites, such as embedded videos from YouTube, Vimeo, Facebook, etc.
These are defined in the ACP -> BB Code Media Sites.

Of the default media sites which XF ships with, Dailymotion, Facebook, LiveLeak, Vimeo, and YouTube are HTTPS and can therefore be embedded.
The latest version of the embed code for those sites is as follows:

Dailymotion


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Facebook

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

LiveLeak


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Vimeo


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

YouTube


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Metacafe is not HTTPS and cannot be embedded, otherwise mixed content/insecure warnings will be generated when loading pages with embedded content from that site.

Any existing embeds from sites not using HTTPS will have to be removed or disabled, either by deleting the media site entry in the ACP, and/or editing the post content to remove them.

The same applies to any other custom media sites which are implemented, either manually or via third party add-ons.

Style images
If any images in any styles are hard coded to use HTTP/external URLs, the logo for example, those will need to be updated. In general, it's always recommended to locally host images on your own server, and use a relative path to them - the header logo image path in that case would be something like @imagePath/images/logo.png.

Advertisements
As with embedded images and video, any advertisements will have to be from a provider which serves them via HTTPS. For the majority of people, that is likely going to be Google AdSense and DoubleClick. If the provider you use does not use HTTPS then you will no longer be able to use them and will have to wait for them to switch to HTTPS, or change providers.
If you currently have AdSense implemented, ensure the script call is either using HTTPS or has no protocol, like so:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Remotely hosted content
Any other remotely hosted content, such as logos, images, custom script, etc. must be served over HTTPS.
In general, it's always better to have the content locally hosted, rather than having the site logo hosted somewhere like Imagebucket.

Sitemap
Any additional URLs entered in the ACP -> Options -> XML Sitemap Generation: Extra Sitemap URLs should be updated.
The sitemap should also be rebuilt via the ACP -> Tools -> Rebuild Caches: Rebuild XML Sitemap

Notices, Help Pages, User Upgrades, Style Properties, Templates
If any URLs have been hard coded in notices, custom help pages, user upgrade descriptions, style property images, or templates, they should be updated.

Warnings
Warnings which are set to issue a conversation should be updated if the site URL is present in the conversation text.

Updating existing content
Although it's not necessary, some people prefer to update any existing links for their own site in posts and conversations, once they have switched to HTTPS.
The easiest way to do that is to use a program such as phpMyAdmin and run queries against the various tables.

For post content, the query takes the form:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Where current_content is the existing post text and new_content is what it should be changed to.

A specific example would be like so, when this site switched to HTTPS:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Note that this is typically only used to change the links for the site you are switching to HTTPS (i.e. your own site).
It's not possible to change all links in posts to HTTPS as not all sites work over HTTPS and doing so will cause some of those links to fail to work.

A similar query can be run against conversation messages:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

It is extremely important when running any queries on the database to ensure a backup is taken first, should it be necessary to revert in the case of any issues or problems.


Additional steps
Other actions may be required, depending on the options and functionality enabled in the XF installation, as well as on external sites. Some of those are listed below.

PayPal
If paid user upgrades are implemented, update the IPN Notification URL in the PayPal account.

External Accounts
If registration and log in is in use via Facebook, Twitter, Google, etc. ensure the applications are updated with the correct URL.
Its's also worth updating any other site related external accounts for StopForumSpam, Project Honey Pot, etc., as required.

Robots.txt
If you have an entry in the robots.txt file for the sitemap (e.g. https://xenforo.com/robots.txt), ensure you update it.

External site links
Finally, don't forget to update the URL on other sites, such as Google Webmaster Tools, Google Analytics, your home page (if you have one), Twitter, Facebook, YouTube, and other social media accounts linked to your site, other forum signatures and profile page links, etc.

[Source]: İçerik Kaynağı

Şimdi İndir

Dosya Yüklenmedi.

Ekran Resimleri

How To Implement SSL To Secure HTTP Traffic (HTTPS)-server_https.png  
Views: 107
Reply

Etiket
https, xenforo

Thread Tools

Posting Rules
Yeni konu açamazsınız.
You may not post replies
You may not post attachments
Mesajınızı düzenleyemezsiniz.

BB code is Açık
Smilies are Açık
[IMG] code is Açık
HTML code is Kapalı

Forum Atla


New To Site? Need Help?

All times are GMT +3. The time now is 04:04.

Tasarım Özelliği | Genişlik: Geniş Renk: How To Implement SSL To Secure HTTP Traffic (HTTPS) How To Implement SSL To Secure HTTP Traffic (HTTPS) How To Implement SSL To Secure HTTP Traffic (HTTPS) How To Implement SSL To Secure HTTP Traffic (HTTPS) How To Implement SSL To Secure HTTP Traffic (HTTPS)