SMF Support > Server Performance and Configuration

Converting to https, step-by-step...

(1/23) > >>

Having just gone thru this the first time myself, I thought I'd share my notes & explain each step (as best I can, anyway).
 This is the stuff I wish I knew up front...  Whether you are doing a new install or trying to diagnose an issue, follow these steps in sequence to get your site up & running.

These steps are generic enough to help you whether you are running under 2.0.x or 2.1.x. 

(1.) Purchase & install your certificate.  Yes, this is the first step.  With a certificate installed, you can run either http:// or https://.  If you do NOT have a certificate installed, you can only run http://.   So... 

If you do NOT have a certificate installed, and you change all your URLs to https://, your site will (POOF!) disappear...  That's because your web server won't serve https:// content without the cert.  Install the cert first...

(2.)  Test your cert, to make sure it is installed & fully operational.  There are lots of tools online that will help you confirm it works.  One such tool:

(3.)  Install an http to https redirect.  Without the redirect, your web server will still attempt to serve up http:// upon request.  So, for example, if you type in your forum's URL with http://, not https://, it will actually execute index.php insecurely.  Themes probably won't work though, so you will probably get that weird, blank-page, text-only version of your site.  A redirect will avoid lots of flaky behavior... 

Here is a good, multi-purpose Apache example right here, that will redirect ALL http:// traffic to https://, and further, tell search engines this is a permanent change:

--- Code: ---RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
--- End code ---

Save the above as a text file named .htaccess, and place it in the root folder of your site.  If you already have an .htaccess file, copy & paste the above at the top of the file. 

There are many other .htaccess examples out there, e.g., if you only want specific folders redirected.  This may be helpful if you have multiple forums, each in separate folders, and only some are https.  If you have such complicated needs, Google is your friend... 

(4.)  If installing...  Run the installer using https://  Using https:// is pretty important, as all URL settings created by the installer are based relative to how you invoke the installer.  Invoking the installer as https:// will make sure all of your URLs internally are https:// at the outset.  If you run the installer with http://, you will have to fix this later using repair_settings.php.

(5.)  If installing 2.1...  Select the Force SSL option.

(6.)  Run repair_settings.php. **MAKE SURE YOU USE THE RIGHT ONE**  There is a different repair_settings.php for SMF 2.1 up on Github!  Using repair_settings.php, confirm the following URLs are all setup with https://, not http://:
 - $boardurl
 - Your Smileys URL
 - Your Avatars URL
 - Your Custom Avatars URL (if you have one)
 - Your Theme URL (one for each theme!!!!)
 - Your Theme/Images URL (one for each theme!!!!)

Save your settings, exit, & delete repair_settings.php.   

I run repair_settings.php just as a safety measure, just to make sure it all went as expected...  I'm paranoid & like double-checking things...

(7.) If you were running 2.1 already, go to the Admin | Maintenance | Server Settings | General and choose "Force SSL throughout the forum" at the Forum SSL Mode prompt. 

(8.) If running 2.0.14+, or 2.1, consider activating the image proxy.  You probably want to do this if your site has mixed http:// & https:// content.  This happens if your forum members share a lot of images from other websites.  If there are mixed http:// and https:// images on the same webpage, you will at least get a security warning, & you will more likely get broken links.  This is because some browsers will not serve mixed http:// & https:// content as a security feature.  SMF's image proxy feature will download http:// images locally, so SMF can turn around and serve them up https://.  No more 'mixed' content issues.  This will significantly reduce broken links and security warnings on your site.  If your forum members share lots of images, you probably want the image proxy enabled. 

NOTE:  The upgrader doesn't change anything - if it finds a site http://, it leaves it http://.  If it finds a site with https://, it leaves it that way. 

What do you do if you're still having issues?  Run repair_settings.php again & triple-check all your URLs... 

Hope this helps.

Repair_settings may be found here:



Just ran across a nifty tool that helps you confirm your redirect is working OK:

Thanks, handy post.  ;)

Converted a couple of my sites yesterday, before I read this.  Luckily all seems to have gone well.  I will just say though some themes and mods make calls to external scripts, so you might find that even though you might see the green padlock in your browser it's still blocking some of the content.

青山 素子:
Some more useful links:

* - Put in the URL to a page and it'll highlight things that are loading over a non-secure connection so you can correct them.
* - The Qualys SSL Labs tester. It does a very complete check of your setup and will let you know what browsers may have trouble connecting, along with a nice grade on how secure your configuration is.
* - Another SSL checker. This one has the advantage of being able to alert you if you forgot a needed intermediate certificate, which will cause security warnings in browsers. (You can ignore a missing root, the browsers will have those.)
* - The Mozilla SSL Configuration Generator. If you manage your server configuration manually, fill in a few details and it'll generate a recommended configuration for SSL setup. I recommend you keep the "intermediate" settings, as the "Modern" will exclude quite a few browsers and platforms still in use.
One thing to keep in mind with the image proxy is that it will increase your bandwidth as it has to fetch the insecure image and then provide it securely from your site. It shouldn't be a lot of extra traffic, but keep it in mind if you enable it.


[0] Message Index

[#] Next page

Go to full version