Announcement

Collapse
No announcement yet.

Converting your forum to https

Collapse
X
Collapse

  • Converting your forum to https

    CONVERTING YOUR FORUM TO HTTPS
    Applies to self-hosted versions of:
    vBulletin 3; vBulletin 4; vBulletin 5;
    Cloud sites have https enabled by default and you do not need to do anything.

    This FAQ explains how to convert your vBulletin forum to use secure https (SSL) rather than http, and why you might need to.
    Note: This guide contains links to external sites. vBulletin Solutions is not responsible for the content of external links and cannot be held responsible for the accuracy of information contained on them.

    WHAT IS HTTPS?
    https stands for Hyper Text Transfer Protocol Secure. It is the secure version of http, the protocol used for sending data between your browser and a website. It means all communications between your browser and the website are encrypted. The 'S' stands for secure. Web browsers will usually display a green padlock to indicate that a secure connection is in place. For https to work, an https certificate needs to be installed on the server.

    WHAT IS AN HTTPS CERTIFICATE?
    https uses a public and private key system. Data that has been encrypted with the public key can only be decrypted by the private key and vice-versa.
    When a web browser connects to a webpage via https, the server sends its https certificate to the browser. This certificate contains the public key needed to begin the secure session.

    WHY DO I NEED HTTPS?
    Data sent over regular http connections are sent in plain text and could in theory be read by anyone who intercepts the connection. With an https connection, the data is securely encrypted, meaning that even if someone intercepted it, they wouldn't be able to read it.
    Starting in January 2017, Google's Chrome browser will begin to mark non-https pages as 'Insecure'. This warning may put off visitors to your site. Other browsers are expected to follow suit in due course.
    More details on this can be found HERE
    Additionally, Google is now using https as a ranking signal, meaning not having https could harm your site's ranking in Google. More details on this HERE.

    HOW IS THE MOBILE APP AFFECTED?
    Starting in January 2017, Apple is enforcing APP TRANSPORT SECURITY (ATS) for all new apps signed after that date. More details on this HERE. This means that apps signed after January 2017 must use secure https when making API calls and connecting to web services.
    We have updated vBulletin Mobile Suite to version 1.13 to publish apps using HTTPS, to meet Apple's App Transport Security requirement. After Jan. 1, you will not be able to submit updated apps to the iTunes App Store using earlier versions of Mobile Suite. Your current apps are fine and will continue to work with your site; you just won't be able to update them until you use v1.13.

    HOW DO I CONVERT MY FORUM TO HTTPS?
    The first thing you will need is an https certificate. In most cases, the first port of call for this will be your web host. https certificates are commonly referred to as SSL certificates, although these days they are usually actually TLS certificates. These are protocols used for https. TLS stands for Transport Socket Layer, and is the successor to SSL, which stands for Secure Socket Layer. You don't really need to concern yourself with these two protocols, but if you are interested, technical details can be found HERE.
    In most cases, your host will make a small charge for an https certificate. This is generally an annual fee which needs to be renewed. Failure to renew it will cause users to receive a warning in their browser that the certificate has expired, so it's vital to keep this up to date. https certificates are generally tied to a specific domain. The certificate will need to be installed on your server - again, generally your host will do this for you.

    You are not tied to buying the certificate from your host, however it is generally the easiest option if you're not well versed in doing this type of thing. If you purcahse one from a third party, you will normally find instructions on your web hosts website for how to perform the installation of the certificate yourself. For example, one hosting company has a guide HERE. There is another guide HERE. Use these guides at your own risk - vBulletin does not endorse and has not tested any of the guides linked to here. If you are unsure - speak to your host, who should be happy to help.

    I HAVE MY CERTIFICATE INSTALLED - WHAT NEXT?
    The next step is quite simple. Log into your vBulletin AdminCP, and then follow the appropriate instructions below for your version.

    vBulletin 3
    Go to vBulletin Options > vBulletin Options > Site Name / URL / Contact Details.
    Edit 'Forum URL' and add the 's' into the URL.
    For example, if your URL is http://www.contoso.com/forum, change it to https://www.contoso.com/forum

    Then go to Settings > vBulletin Options > vBulletin Options > Server Settings & Optimization Options > Use Remote YUI
    Set this to Google.

    vBulletin 4
    Go to Settings > Options > Site Name / URL / Contact Details.
    Edit 'Forum URL' and add the 's' into the URL.
    For example, if your URL is http://www.contoso.com/forum, change it to https://www.contoso.com/forum

    Then go to Settings > Options > Server Settings & Optimization Options > Use Remote YUI
    Set this to Google.

    vBulletin 5
    Go to vBulletin Options > vBulletin Options > Site Name / URL / Contact Details.
    Edit these three settings: 'vBulletin URL'; 'Login URL'; 'Core URL' and add the 's' into the URL.
    For example, if your URL is http://www.contoso.com/forum, change it to https://www.contoso.com/forum
    NOTE: Do not remove the word 'core' at the end of the core URL. You will break your site!

    Then go to Settings > Options > Server Settings & Optimization Options > Use Remote jQuery
    Set this to Google.

    The key to all three vBulletin versions is that all you do in the URL settings is change http to https. Do not alter any other part of the URL.

    Once you have changed these settings, go to AdminCP > Maintenance > General Update Tools, and rebuild the styles. (In vB3 this is AdminCP > Maintenance > Update Counters). Leave the default settings and just run this update tool.

    ANYTHING ELSE?
    Your site should now load and run normally when using https in the URL. However, you now need to redirect any http traffic to https, so that everyone using your site uses the secure connection.
    Again, in most cases, the simplest way to arrange this is to ask your host to configure it for you. They shouldn't charge for doing this, and it won't take them very long.
    If you'd rather do it yourself, it involves playing about with special files used by different types of server software - For instance, a server running 'Apache' will use an '.htaccess' file, whereas a server running IIS will use a 'web.config' file. If you don't know which server software your server is running, speak to your host. GoDaddy have a useful guide to making these changes HERE. However, these files can be quite tricky to work with, and an incorrect entry will break your site. It's much simpler to get your host to do it!

    THAT'S IT!
    You shouldn't encounter any difficulties and your site should be showing a green padlock in most browsers.
    You may run into issues with 'embedded images', where people have embedded external images or videos from third party sites into your posts, where those sites are or were not using https. These will trigger what is called a 'Mixed Content Warning' in the padlock area of the browser. In practice, what this means is that such embedded images or videos will not show and users may just see a blank space. You should aim to convert these images to attachments, subject to copyright, though this will be a manual task and can be fairly arduous if there are lots of them. Alternatively you can manually edit the embedded URL to change it to https. This will work for major sites like YouTube, but on some sites it may not work if https is not available. There are some third party add-ons that can help with this problem such as THIS ONE, however vBulletin cannot provide official support for third party code.

    If you have any questions regarding this guide, please post in the correct support forum for your version.
    Last edited by Mark.B; Thu 4th May '17, 1:24pm.

    • Glenn Vergara
      #5
      Glenn Vergara commented
      Editing a comment
      If you have posts that that have embedded external images that are not using https, you will get a mixed content error in the browser console and the padlock icon in the address bar will not be green. To prevent that from happening, you can block all the mixed content using this meta tag:

      Code:
      <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content"/>
      That meta tag should be placed inside the <head> tag. For vB5, you can paste it in the head_include template. For vBCloud, you can utilize the Search Engine Verification option in AdminCP > Settings > Options to insert the meta tag.

      See these links for reference:
      https://developers.google.com/web/fu...-mixed-content
      https://developer.mozilla.org/en-US/...-mixed-content

    • Jairo Morillo
      #6
      Jairo Morillo commented
      Editing a comment
      can you detail more how to paste the code in head_include please vbulletin 5.3.3


      <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content"/>

    • Glenn Vergara
      #7
      Glenn Vergara commented
      Editing a comment
      Login to AdminCP and go to Styles. Search for "head_include" template. Edit the ones under the active themes/styles your site is using.
    Posting comments is disabled.

About the Author

Collapse

Mark.B Find out more about Mark.B

Article Tags

Collapse

administration (1) advanced (5) affiliate (1) android (2) api (29) array (17) beginner (17) blog (4) calendar (2) cms (2) forum (3) forums (4) groups (1) Intermediate (7) introduction (1) iphone (3) mapi (30) methods (10) mobile (34) security (2) style (2) suite (1) threads (4) vb5howto (5) vBulletin (5)

Latest Articles

Collapse

  • vBulletin 5 Database Best Practices
    Wayne Luke

    This is part of a best practices series to manage your vBulletin installation.

    The database is the heart and soul of your vBulletin site. All content and user information is stored in the database. Protect the database and you protect your site. This document will go over the creation and usage of a MySQL database for the use of vBulletin 5 Connect. If you have shared hosting and are provided a web-based control panel like cPanel, you will need to access your hosting provider's documentation on how to carry out these operations. This document assumes a general familiarity with the command line operations of your Operating System. All commands listed assume that you are accessing your server via SSH.

    ...
    Wed 31st Oct '18, 8:18am
  • vBulletin Password Handling
    Wayne Luke
    Note: vBulletin Cloud sites cannot use custom password schemes at this time. The core security of your site is the User Password and how it is stored. In the beginning, vBulletin used a simple MD5 hash to represent the password. However as Floating Point Processors (i.e. GPU and ASICs) have become more powerful, this method proved to be risky and reduced security. If we significantly changed the password scheme, then users wouldn't be able to login and would need to change their passwords first. We needed a solution that was more convenient. At this point, a 3 character randomly generated salt was added to the password and it was hashed a second time. Again, technology caught up to this technique. So the salt was increased to 30 characters. Once again, technology caught up with the technique. We needed a better way to hash passwords but allow users to log in seamlessly. When PHP 5.5 was released, a new set of password hashing functions were released to help with thes...
    Sat 27th Oct '18, 1:34pm
  • Creating the Sitemap XML for your vBulletin
    Wayne Luke
    The XML Sitemap specification allows search engines to index your site more efficiently. vBulletin 5 Connect can create the Sitemap automatically so you can submit it to your favorite search engines. Using the default path If you are using vBulletin Cloud, you must use this option. The default value for this is core/store_sitemap. Make sure the directory is CHMOD 0777 on your server. In the AdminCP, go to Settings -> Options -> XML Sitemap and set Enable Automatic Sitemap Generation to Yes. Rebuild your XML Sitemap files in the AdminCP under XML Sitemap -> Rebuild Sitemap Using a custom path Determining the path of your XML Storage Directory. Upload the file filepath.php to your chosen storage direc...
    Sat 27th Oct '18, 1:18pm
  • Installing Memcached for vBulletin
    Wayne Luke
    Note: Installing and using Memcached requires access to the command line and the ability to install software on your server. If you are using a Shared Hosting Package, then you may not have access to this capability. If you are in doubt, please contact your hosting provider. If you are running vBulletin in a Virtual Machine or on a Dedicated Server, you can improve performance with Memcached. This allows you to move some of the caching systems from vBulletin's database and into memory. On the surface, configuring vBulletin to use Memcached may seem complicated. However installation is quick and easy, with a little server knowledge. Install Memcached on the Server Memcached is designed to work on Linux systems. In many cases can be installed with your package manager. Linux # CentOS 6 [root@memcached01 ~]# yum install memcached [root@memcached01 ~]# chkconfig memcached on [root@memcached01 ~]# service memcached start # CentOS 7 [root@memcached01 ~]# yum install memcached [root@memcached01 ~]# systemctl enable memcached [root@memcached01 ~]# systemctl start memcached # Ubuntu 16.04 and 18.04 [root@memcached01 ~]# apt-get update [root@memcached01 ~]# apt-get install memcached Other Distros For other linux distributions, you might have to install from the source code. See the Memcached Documentation on Github to accomplish this.. Windows While Memcached is designed as a Linux/Unix executable it is open source. Due to this, there are Windows Binaries available. You can find these by performing a search on your favorite...
    Sat 27th Oct '18, 1:00pm
  • Using Tools.php
    Wayne Luke
    Within your vBulletin Download Package, we provide a file called tools.php, this file isn't uploaded to the server by default as it is considered to be a significant security risk. However, there are times when you need to change specific settings and aren't able to access your AdminCP directly. Uploading to the Server It is recommended that tools.php is installed in the /core/install directory. To do this, follow the steps below: Connect to your server with your favorite SFTP or SCP client. In your vBulletin package, upload the /core/install directory to your server. In your vBulletin package, find tools.php in your do_not_upload directory and upload to the /core/install directory. After Using Remove Tools.php We consider this file to be a security risk. This cannot be overstated. This file should not be stored on your server after use. It is provided as a tool of last resort. Once you have completed your tasks, you should delete it from your server. To do this, delete the /core/install/ directory. Using The Tools Point your browser to the file at /core/install/tools.php (e.g. https...
    Sat 27th Oct '18, 12:45pm
  • Third-Party Logins: Twitter
    Wayne Luke
    You will need to use an existing twitter account in order to use this functionality.

    Create an app using your twitter account

    In your browser go to https://apps.twitter.com/app/new

    Check App Settings

    Go to the application settings (e.g. https://apps.twitter.com/app/12345/settings where 12345 references the app created in step 2. You can access the settings by going to the list of
    your apps (https://apps.twitter.com), clicking on the app link, then clicking...
    Tue 10th Apr '18, 10:00am
Working...
X