Platform: Xenforo
Skill level: Advanced
Time needed: 2 Hours

How To Migrate Xenforo Forum from HTTP to HTTPS

If you want to install SSL to your existing Xenforo forum (using HTTPS instead of HTTP), this is a step by step guide about how I do it.

 

Why HTTPS?

In short, there are some advantages of migrating your Xenforo forum to HTTPS:

  • More secure
  • Member feels safe
  • Avoid getting “Not Secure” on Google Chrome 56 and above
  • Avoid getting “!” mark (not secure symbol) in another browser
  • HTTPS is one of search ranking signals which could help your SEO

 

Get SSL Certificate

The first thing you need to do is get SSL Certificate for your forum. There are two options available, free and paid certificate. I recommend you purchase rather than using free certificate. Namecheap offers an SSL Certificate for only $9 / year, and they are really good.

However, if you don’t have the budget, you can always use Let’s Encrypt to get SSL Certificate for free with some limitation.

 

Activate SSL Certificate

Once you purchase an SSL Certificate, you need to activate it. There are few steps to activate your SSL certificate.

NB: I’m using Xenforo in Linux based server (CentOS) + Nginx web server. So this tutorial reflect on that system.

 

Step 1: Generate CSR

CSR stands for Certificate Signing Request. It contains information about your domain name, organization, address, country, and public key that will be included in your certificate. CSR is required to activate your SSL Certificate, and you should generate it on your server.

For better SSL management and reduce confusion in the future, I decide to put all certificates related files in /etc/nginx/ssl/forum.yourdomain.com

Run this command to create that folder

mkdir -p /etc/nginx/ssl/forum.yourdomain.com

Navigate to that folder

cd /etc/nginx/ssl/forum.yourdomain.com

Run this command to generate the CSR

openssl req -new -newkey rsa:2048 -nodes -keyout forum.yourdomain.com.key -out forum.yourdomain.com.csr

Fill required details, including:

  • Common Name (your forum domain name)
  • Country (two-letter code)
  • State (or province)
  • Locality (or city)
  • Organization
  • Organizational Unit (Department)
  • E-mail address (I recommend you to use your domain email, such as admin@yourdomain.com)

NB: You don’t need to fill challenge password and optional company name. Just press Enter (Return) to skip.

Now there are two files generated, forum.yourdomain.com.key and forum.yourdomain.com.csr.

Run this command to display your CSR code, then copy the code. (Start with ———BEGIN CERTIFICATE REQUEST——— until ———END CERTIFICATE REQUEST———-

cat forum.yourdomain.com.csr

You need this to activate SSL Certificate on your Namecheap account.

 

Step 2: Request SSL Certificate

Now login to your Namecheap account, then click Activate on your SSL Certificate

Paste your CSR code

Namecheap will automatically detect Primary Domain based on your CSR code

Select your server type, then press Submit.

Now confirm your details, then click Next.

This is the last and the most important step before you get your SSL certificate. Your domain must pass through DCV (Domain Control Validation). The fastest way to validate is using email validation.

Namecheap will provide you with several email options, select one which applies for you.

Now verify and confirm.

Within 10 minutes you will receive a validation email. If no message received, you can always resend it.

Click validation link and insert your validation code.

Now your domain has successfully verified. The SSL Certificate will be sent to your administrative email.

 

Install SSL Certificate (Nginx)

Step 1: Merge SSL Certificate

Download and extract .zip certificate file from your email attachment. There are two files inside, yourdomain_com.ca-bunle and yourdomain_com.crt. Upload both files to your server.

Merge both files into one .crt file using these commands below:

cat yourdomain_com.crt yourdomain_com.ca-bundle > yourdomain.crt

Now both files was merged as yourdomain.crt.

 

Step 2: Generate DHE Parameters

sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

 

Step 3: Create Nginx SSL Configuration

To make everything easier, I decide to create SSL configuration as separated file. This will simplify our next vhost configuration.

nano /etc/nginx/ssl.conf

Paste this ssl.conf

ssl on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout   70;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

ssl_buffer_size 1400;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;

#Enable simple HSTS without preload
#add_header Strict-Transport-Security 'max-age=31536000';
#or
#Enable HSTS with preload to domain & all subdomains
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

NB: Only enable HSTS when you’re really sure that everything works great. This will force the browser to load HTTPS and never try to load HTTP version.

 

Step 4: Edit Nginx Virtual Host

It’s time to edit your virtual host configuration. First things first, you should decide the main URL for your forum. In this case, I decide https://forum.yourdomain.com as the main URL. Therefore, I’ll redirect all traffic from:

  • http://forum.yourdomain.com to https://forum.yourdomain.com
  • http://www.forum.yourdomain.com to https://forum.yourdomain.com
  • https://www.forum.yourdomain.com to https://forum.yourdomain.com

Now open your current virtual host configuration, and let’s set it up.

Modify your server block to redirect all HTTP traffic to HTTPS

server {
        listen  80;
        server_name     www.forum.yourdomain.com forum.yourdomain.com;
        return  301     https://forum.yourdomain.com$request_uri;
        }

Now redirect all https://www.forum.yourdomain.com traffic to https://forum.yourdomain.com. Make sure your ssl configuration pointed to the right cert and private key file.

server {
        listen  443;
        server_name     www.forum.yourdomain.com;
	ssl_certificate /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.crt;
        ssl_certificate_key /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.key;
	include /etc/nginx/ssl.conf;
        return  301     https://forum.yourdomain.com$request_uri;
        }

And this is server block for your main URL, https://forum.yourdomain.com

server {
        listen   443;
        server_name forum.yourdomain.com;
        autoindex off;
        root /var/www/forum.yourdomain.com/public_html;
        index index.php;
        access_log off;
        error_log /var/www/forum.yourdomain.com/log/error.log warn;
        ssl_certificate /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.crt;
        ssl_certificate_key /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.key;
	include	/etc/nginx/ssl.conf;
        
        #....................your other stuff and configuration
     
}

Your final Xenforo virtual host configuration on Nginx would be something like this:

server {
        listen  80;
        server_name     www.forum.yourdomain.com forum.yourdomain.com;
        return  301     https://forum.yourdomain.com$request_uri;
        }

server {
        listen  443;
        server_name     www.forum.yourdomain.com;
	ssl_certificate /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.crt;
        ssl_certificate_key /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.key;
	include /etc/nginx/ssl.conf;
        return  301     https://forum.yourdomain.com$request_uri;
        }

server {
        listen   443;
        server_name forum.yourdomain.com;
        autoindex off;
        root /var/www/forum.yourdomain.com/public_html;
        index index.php;
        access_log off;
        error_log /var/www/forum.yourdomain.com/log/error.log warn;
        ssl_certificate /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.crt;
        ssl_certificate_key /etc/nginx/ssl/forum.yourdomain.com/forum.yourdomain.com.key;
	include	/etc/nginx/ssl.conf;

        #xenforo needs
        location / {
                try_files $uri $uri/ /index.php?$uri&$args;
		index index.php index.html;
        }

        #xenforo security folder
        location /install/data/ {
		internal;
	}

	location /install/templates/ {
		internal;
	}

	location /internal_data/ {
		internal;
	}

	location /library/ {
		internal;
	}


        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location ~* \.(?:ico|css|js|gif|jpg|jpeg|png)$ {
                access_log off;
                log_not_found off;
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location ~ /\. {
                deny all;
        }

        location ~ \.txt$ {
                deny all;
        }

        location ~ \.sql$ {
                deny all;
        }

        error_page 500 502 503 504  /50x.html;
        location = /50x.html {
                root   /usr/share/nginx/html;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
		fastcgi_param HTTPS on;
		fastcgi_param HTTP_SCHEME https;
                include fastcgi.conf;
        }

}

 

Before you reload Nginx service, I recommend you login to your forum admin dashboard first (http://forum.yourdomain.com/admin.php). This is important to make sure you’re able to change Xenforo options if HTTPS migration not running smooth as expected.

Once you have logged in, now just reload your Nginx service.

service nginx restart

 

Change Xenforo Settings to HTTPS

The hard part was completed. Now it’s time to change your Xenforo settings and completely migrate from HTTP to HTTPS.

 

Step 1: Change base URL Xenforo to HTTPS

Open your Admin Dashboard > Options > Basic board information > and change the board url from http://forum.yourdomain.com to https://forum.yourdomain.com.

 

Step 2: Activate Proxy Images

It’s important for HTTPS site to load HTTPS content, otherwise you’ll get “Mixed Content” warning. Luckily Xenforo has a Proxy Images feature which will scrap hotlink (embedded) images and save them on your local server.

Go to ACP > Options > Messages > Activate Proxy Images

NB: you can set the Image Cache Lifetime to 0 if you want to store the images forever. However it’s not recommended for server with limited free space.

 

Step 3: Rebuild Sitemap

Go to ACP > Options > XML Sitemap Generation

If you have Extra Sitemap URLs, you should update them to HTTPS. Then you need to Rebuild Sitemap via ACP > Tools > Rebuild Caches: Rebuild XML Sitemap.

 

Step 4: Edit Embed Code to HTTPS

Go to BB Code Media Sites, and update all media URL and embed code to HTTPS. I only use Facebook and YouTube embed for both are HTTPS friendly and highly relevant for my forum members.

Facebook embed code (https)

<div class="fb-video" data-href="https://www.facebook.com/video.php?v={$id}" data-width="500"><div class="fb-xfbml-parse-ignore"><a href="https://www.facebook.com/video.php?v={$id}">https://www.facebook.com/video.php?v={$id}</a></div></div>

YouTube embed code (https)

<iframe width="500" height="300" src="https://www.youtube.com/embed/{$id}?wmode=opaque" frameborder="0" allowfullscreen></iframe>

Vimeo embed code (https)

<iframe src="https://player.vimeo.com/video/{$id}" width="500" height="300" frameborder="0"></iframe>

Videomotion embed code (https)

<iframe frameborder="0" width="500" height="300" src="https://www.dailymotion.com/embed/video/{$id}?width=500&hideInfos=1"></iframe>

 

Step 5: Advertisement

Make sure your advertising network support HTTPS. In some cases you need to modify your ad code to HTTPS. Google Adsense for instance, you need to modify the code either using HTTPS or has no protocol like this:

<script src="//pagead2.googlesyndication.com/pagead/show_ads.js"></script>

 

Step 6: Update Existing URLs

This is optional but recommended. Although internal links work smoothly through 301 redirect, it’s better when you update all existing URLs from HTTP to HTTPS. You can do this instantly through phpMyAdmin. Login to phpMyAdmin > select your forum database > Query, then run this SQL query format:

UPDATE xf_post SET message = REPLACE(message,'current_content','new_content');

PS: Backup your database before you run the query. Change current_content with your HTTP forum URL and new_content with your HTTPS forum URL. It should be something like this:

UPDATE xf_post SET message = REPLACE(message,'http://forum.yourdomain.com/','https://forum.yourdomain.com/');

You can do the same thing for the conversation messages:

UPDATE xf_conversation_message SET message = REPLACE(message,'http://forum.yourdomain.com/','https://forum.yourdomain.com/');

 

Step 7: Robots.txt

Update your sitemap URL inside robots.txt to HTTPS

Sitemap: https://forum.winpoin.com/sitemap.php

 

Step 8: Edit External Application

If you use social registration & log in, such as Facebook, Twitter, etc., make sure you update the forum URL to HTTPS on its application settings. Do the same thing for other external accounts like StopForumSpam, reCaptcha, etc.

If you use Google Analytics, update your forum URL to HTTPS too.

 

Step 9: Check Page

Check every page (index, thread, etc.) using View Page Source feature in your browser. Make sure there is no HTTP content embedded / loaded on that page. If you found HTTP content embedded, change it to HTTPS or remove it entirely to avoid Mixed Content warning.

 

Step 10: Add Google Webmaster Tool

Last but not least, add your new HTTPS forum URL to Google Webmaster Tool. Submit your new Sitemap too. This is important to retain your SERP on Google and make sure the HTTPS migration goes smoothly.

 

 

SHARE
Febian
Entrepreneur. Content Producer. Founder Poin Asia, blog network with more than 2.5 million pageviews / month.

LEAVE A REPLY

Please enter your comment!
Please enter your name here