Setting up HTTPS in Elgg 2.3.8

Dear Sir,

From cPanel, I have setup let's encrypt and then the web hosting support team said:



"our domain is loading over https online. You can see that the certificate is installed here:
https://www.sslshopper.com/ssl-checker.html?hostname=http%3A%2F%2Fmyhotfb.com%2F
You should wait for several hours if the domain is not displayed online from your side, because of the worldwide A record propagation which was recently changed.
Regarding the mixed content warning on the site , you should change all your URLs from http to https if you want to see the green padlock in the browser.

If you want automatic HTTPS redirection online you can set this lines:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
in a .htaccess here:
https://us.cloudlogin.co/filemanager/#/www/myhotfb.com "

I really need help here. I would like to know the followings:

1. in .httaccess file where exactly do I add the following lines

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

2. In .httaccess file I see followings:

############################
# REWRITE RULES

<IfModule mod_rewrite.c>

RewriteEngine on

So do I only add

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

3. Should I change the url to https from http in Advance settings?

4. Do I have to perform any manual change in DB?

Kindly please help. Please, I would really appreciate correct step by step assistance.

  • 1. Look for this line in your .htacess file - "# If you must add RewriteRules to change hostname, add them directly below (above all the others)". You need to add the rewrite rule below this line.

    2. This is how I handle my rewrite

    #First redirect all Http request to https
    #Ensure that we exclude any sub-domains
    RewriteCond %{HTTP_HOST} ^(www\.)?campuskarma.in$ [NC]
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://www.campuskarma.in%{REQUEST_URI} [NC,L,R]
    #Secondly redirect all non-www to www
    RewriteCond %{HTTPS} on
    RewriteCond %{HTTP_HOST} !^www\.
    RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [NC,L,R]

    The above code will do 3 things, first it will redirect all the http request to https, it will not add any https to any sub-domain and it will redirect all non-www request to www request.

    3. Nope, you need to keep https in the advance setting otherwise it will lead to unnecessary redirection based on your .htaccess rewrite rule.

    4. Nope, you don't have to do anything at database level.

  • Rohit Sir,

    Thanks for your kind reply and detailed step by step instruction. I read it today just few mins back, but  I have already made changes in a bit different way and its working, but now confused after reading your post  that if I should change it the way you have detailed in your step by step instruction.

    I would like to first share the way I have done it in Elgg 2.3.8.

    1. First, I changed the http to https in advance option of Admin Menu. Saved it and ran an update. Logged into my DB and saw that "https" instead of http. At this stage my site was not automatically redirecting all request to https, but when I logged in, it showed https. Logged out and cleared the cookies. and same situation that its not automatically redirecting to https. 

    2. Secondly, to correct it, I edited the .httaccess file and added:

    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

    Immediately after 

    I############################
    # REWRITE RULES
    <IfModule mod_rewrite.c>
    RewriteEngine on

    3. Saved the file. Ran an update, and now I see the followings:

    a. All non www and http requests are automatically redirecting to https://www.myhotfb.com/ as a standard. I also see a green lock.

    3. Optionally, I updated the elgg.cron.1min.plist  file and changed the http to 

    <string>https://www.myhotfb.com/cron/run/</string>

    and then also updated google webmaster tools.

    Now that you have read what i have done, please advice if I should make changes as per your detailed instruction. Just for your review, here is the complete .httaccess file, where I have added some extra MIMEs as well, but I don't think they are useful.

    # Elgg htaccess directives
    
    
    # Don't allow listing directories
    
    Options -Indexes
    
    
    # Follow symbolic links
    
    Options +FollowSymLinks
    
    
    # Default handler
    
    DirectoryIndex index.php
    
    
    
    ############################
    
    # BROWSER CACHING
    
    
    # Make sure .ico has proper MIME type, allowing mod_expires to handle them.
    
    <IfModule mod_mime.c>
    
     AddType image/vnd.microsoft.icon .ico
    
    # AddType TYPE/SUBTYPE EXTENSION - jPlayer
    
     AddType audio/mpeg mp3
    
     AddType audio/mp4 m4a
    
     AddType audio/ogg ogg
    
     AddType audio/ogg oga
    
     AddType audio/webm webma
    
     AddType audio/wav wav
    
     AddType video/mp4 mp4
    
     AddType video/mp4 m4v
    
     AddType video/ogg ogv
    
     AddType video/webm webm
    
     AddType video/webm webmv
    
    </IfModule>
    
    
    # The expires module controls the Expires and Cache-Control headers. Elgg sets
    
    # these for dynamically generated files so this is just for static files.
    
    <IfModule mod_expires.c>
    
    ExpiresActive On
    
    ExpiresDefault "access plus 1 year"
    
    </IfModule>
    
    
    # Conditional requests are controlled through Last-Modified and ETag headers.
    
    # Elgg sets these on dynamically generated cacheable files so this is just for
    
    # static files. Note: Apache sends Last-Modified by default on static files so
    
    # I don't think we need to be sending ETag for these files.
    
    <FilesMatch "\.(jpg|jpeg|gif|png|mp3|flv|mov|avi|3pg|html|htm|swf|js|css|ico)$">
    
    FileETag MTime Size
    
    </FilesMatch>
    
    
    
    ############################
    
    # PHP SETTINGS
    
    # Don't forget to keep these two IfModules in sync!
    
    #
    
    <IfModule mod_php5.c>
    
    # If using PHP 5.6
    
    
    # limit the maximum memory consumed by the php script to 64 instead 128 MB
    
    php_value memory_limit 128M
    
    # post_max_size is the maximum size of ALL the data that is POST'ed to php at a time (8 instead 64 MB converted to Bytes (in binary))
    
    php_value post_max_size 67108864
    
    # upload_max_filesize is the maximum size of a single uploaded file (5 instead 32 MB converted to Bytes (in binary))
    
    php_value upload_max_filesize 33554432
    
    # on development servers, set to 1 to display errors. Set to 0 on production servers.
    
    php_value display_errors 0
    
    </IfModule>
    
    <IfModule mod_php7.c>
    
    # If using PHP 7.x // Synced as per 5.6 with PHP 7.0 converted to Bytes (in binary)
    
    
    # limit the maximum memory consumed by the php script to 64/128 MB
    
    php_value memory_limit 128M
    
    # post_max_size is the maximum size of ALL the data that is POST'ed to php at a time (8/64 MB)
    
    php_value post_max_size 67108864
    
    # upload_max_filesize is the maximum size of a single uploaded file (5/32 MB)
    
    php_value upload_max_filesize 33554432
    
    # on development servers, set to 1 to display errors. Set to 0 on production servers.
    
    php_value display_errors 0
    
    </IfModule>
    
    
    
    ############################
    
    # COMPRESSION
    
    
    # Turn on mod_gzip if available
    
    <IfModule mod_gzip.c>
    
    mod_gzip_on yes
    
    mod_gzip_dechunk yes
    
    mod_gzip_keep_workfiles No
    
    mod_gzip_minimum_file_size 1000
    
    mod_gzip_maximum_file_size 1000000
    
    mod_gzip_maximum_inmem_size 1000000
    
    mod_gzip_item_include mime ^text/.*
    
    mod_gzip_item_include mime ^application/javascript$
    
    mod_gzip_item_include mime ^application/x-javascript$
    
    # Exclude old browsers and images since IE has trouble with this
    
    mod_gzip_item_exclude reqheader "User-Agent: .*Mozilla/4\..*\["
    
    mod_gzip_item_exclude mime ^image/.*
    
    </IfModule>
    
    
    ## Apache2 deflate support if available
    
    ##
    
    ## Important note: mod_headers is required for correct functioning across proxies.
    
    ##
    
    <IfModule mod_deflate.c>
    
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript image/svg+xml
    
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    
    BrowserMatch ^Mozilla/4\.[0678] no-gzip
    
    BrowserMatch \bMSIE !no-gzip
    
    
    <IfModule mod_headers.c>
    
    Header append Vary User-Agent env=!dont-vary
    
    </IfModule>
    
    
    # The following is to disable compression for actions. The reason being is that these
    
    # may offer direct downloads which (since the initial request comes in as text/html and headers
    
    # get changed in the script) get double compressed and become unusable when downloaded by IE.
    
    SetEnvIfNoCase Request_URI action\/* no-gzip dont-vary
    
    SetEnvIfNoCase Request_URI actions\/* no-gzip dont-vary
    
    
    </IfModule>
    
    
    
    ############################
    
    # REWRITE RULES
    
    
    <IfModule mod_rewrite.c>
    
    
    RewriteEngine on
    
    RewriteCond %{HTTPS} off
    
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    
    # If Elgg is in a subdirectory on your site, you might need to add a RewriteBase line
    
    # containing the path from your site root to elgg's root. e.g. If your site is
    
    # http://example.com/ and Elgg is in http://example.com/sites/elgg/, you might need
    
    #
    
    #RewriteBase /sites/elgg/
    
    #
    
    # here, only without the # in front.
    
    #
    
    # If you're not running Elgg in a subdirectory on your site, but still getting lots
    
    # of 404 errors beyond the front page, you could instead try:
    
    #
    
    #RewriteBase /
    
    
    
    # If your users receive the message "Sorry, logging in from a different domain is not permitted"
    
    # you must make sure your login form is served from the same hostname as your site pages.
    
    # See http://learn.elgg.org/en/stable/appendix/faqs/general.html#login-token-mismatch for more info.
    
    #
    
    # If you must add RewriteRules to change hostname, add them directly below (above all the others)
    
    
    # explicity allow access for the .well-known directory
    
    RewriteRule "^.well-known/" - [L]
    
    
    # hide all dot files/dirs (.git)
    
    RewriteRule (^\.|/\.) - [F]
    
    
    # Everything else that isn't a file gets routed through Elgg
    
    RewriteCond %{REQUEST_FILENAME} !-f
    
    RewriteCond %{REQUEST_FILENAME} !-d
    
    RewriteRule ^(.*)$ index.php?__elgg_uri=$1 [QSA,L]
    
    </IfModule>
    
    
  • Rohit Sir,

    My Site acting funny.... sometimes, it redirected non www to www but not always, as a result i got both types of redirection https: with www, and non www..Additionally, the green lock disappeared for a while, and then again came back, and even one time gave me warning that site is not properly configured for ssl.

    so, i took you advice, and changed it to following

    # If you must add RewriteRules to change hostname, add them directly below (above all the others)
    #First redirect all Http request to https
    #Ensure that we exclude any sub-domains
    RewriteCond %{HTTP_HOST} ^(www\.)?myhotfb.com$ [NC]
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://www.myhotfb.com%{REQUEST_URI} [NC,L,R]
    #Secondly redirect all non-www to www
    RewriteCond %{HTTPS} on
    RewriteCond %{HTTP_HOST} !^www\.
    RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [NC,L,R]
    # explicity allow access for the .well-known directory 
    RewriteRule "^.well-known/" - [L]

    Note, the bottom two lines were already there and since you didn't mention anything, I kept it the way it was. 

    I have truncated the following lines which were suggested by the web hosting support.

    #RewriteCond %{HTTPS} off 
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    Let's see what happens now. I hope it will work as you have suggested. But curious about one thing. Why did we turn of https for sub domain. What if I need to have https for my subdomain in future for some projects like dating.myhotfb.com? You have already helped me and educated me on https/ ssl. I would appreciate if you kindly educate me a little more about what advantage did we gain by turning off https for sub domain.

    Thanking you in anticipation.