Announcement

**Wayne Luke** · Sun 1 Dec '19, 1:04pm

Both examples of the .htaccess code do exactly the same thing.

You need to update the URLs in the database under Settings -> Options -> Site Name / URL / Contact Details. All three URL options need to be updated.

Your Content Security Policy needs to allow iFrames/Frames from your own URL.

What elements are not switching to HTTPS besides the CSS? Have you modified any templates?

**john_rsd** · Sun 1 Dec '19, 1:40pm

Thanks for the replay Wayne, I know its skirting around server issues which is not what you do so i will try and keep it short.

The CSS was the main one, I just found another few topics after digging that recommend moving the CSS from files to database but at the penalty of not having selectable themes for users ??

Second one was when I attempted to go to AdminCP>Settings>Options>Site Name / URL / Contact Details in which FF had a nervous breakdown and CSP just blanked the frame with a message it cant display, so I had to venture to where they be dragons ;-) and disable it.

I could however access other settings OK, it was that particular option it did not like.

When i eventually though I had it working, I also got a login error under Edge, which also said it cant run iframes (I think that was it)

And no, no modified templates, yet ! as i need the platform running first, eventually I want to move it to vBCloud and be done with managing servers, just need the site to gain traction first.

See attached.

The one that concerns me is where CSP is locking it down.

John

**john_rsd** · Sun 1 Dec '19, 2:08pm

Hi Wayne,

I *think* I have sorted it now, I found a few more posts in the forums which helped, one for doing the SSL checking itself on https://www.ssllabs.com/ssltest/ which confirmed the cert seemed OK

Some of my other domains were not OK, always skeletons to find

Anyway, I set the .hta file back to standard

Code:

# To redirect users to the secure version of your site, uncomment the lines below
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

This alone kills access to the AdminCP

So back to the standard one

AdminCP>Settings>Options>Site Name / URL / Contact Details

So I set first

vbulletin URL = HTTPS://www.domain.org
Login URL = HTTPS://www.domain.org
Core URL = HTTP://www.domain.org
HTTPS Term = NO
ROUTE CONV = NO
LOGO URL = BLANK
Forum URL as Base = YES

Added this list
https://www.domain.org
http://www.domain.org
https://domain.org // New addition as the cert search showed no www
http://domain.org // New addition as the cert search showed no www

Set style sheet to go back to database and I will try that later with a new folder

THEN

I changed the .hta file

Doing it that way round and adding the domain.org (no www) in list seems to have worked.

All seems OK for now.

So my apologies Wayne, I either did things out of sequence and screwed up or perhaps a cahce issue on eithe browser while fumbling around.

Learning and remebering a bit more every day :-D

Thanks again.

**john_rsd** · Sun 1 Dec '19, 2:25pm

OK,

Still an issue it seems with Safari and Chrome on IoS (Ipadpro) which is similar with what I seen earlier with Edge. Edge and FF under W10 seem fine

The login drop down is blank.

See image

I must admit not to be familiar with Safari at all

**Wayne Luke** · Sun 1 Dec '19, 2:48pm

The login frame shows on my iPhone. Can you clear the cache in Safari and try again?

**john_rsd** · Sun 1 Dec '19, 2:55pm

OK, please see attached video.

When i tested forum access in the Ipadpro with safari and chrome I hit a brick wall as the login box was blank.

So i installed Chrome on W10 and it was the same (rules out IoS)

However, if I then hit register, then go back to login the login box works.

Close down chrome, open up and hey prestor same issue.

Something must be missing on first load that is cached when other content is loaded (such as click register)

Attached Files

GLITCH04210033.zip (114.7 KB, 34 views)

**Wayne Luke** · Sun 1 Dec '19, 5:37pm

What address are you typing into your address bar of the browser?

www.example.com and example.com are two different URLs and therefore two different sites as far as browser security is concerned today. You will have problems. Clicking on a link would send you to the address specified in your AdminCP under Settings -> Options -> Site Name / URL / Contact Details. That is the URL you should always use.

**john_rsd** · Mon 2 Dec '19, 3:04am

Wayne

https://www.domain.org

That is where it is landing, same address as in Edge or FF.

Somehow Chrome and Safari seem to be handling the URL differemtly on first landing.

Only link in settings I have left as http and not changed to https is the /core location. The note says leave as is unless told to change it by vb support. Do I require to change this to https also ?

John

**Mark.B** · Mon 2 Dec '19, 3:18am

Originally posted by john_rsd View Post

Wayne

https://www.domain.org

That is where it is landing, same address as in Edge or FF.

Somehow Chrome and Safari seem to be handling the URL differemtly on first landing.

Only link in settings I have left as http and not changed to https is the /core location. The note says leave as is unless told to change it by vb support. Do I require to change this to https also ?

John

Yes you must change all three URLs to https.

Please also review our guide and ensure you have followed all relevant steps:
https://forum.vbulletin.com/articles...forum-to-https

**john_rsd** · Mon 2 Dec '19, 3:45am

Mark

Changed all 3 now to https://www.domain.org and Chrome still doing the same, even if I am actually logged in.

I did login and hit remeber me, then closed chrome

Open chrome back up, I see a login at top right and when its dropped down it is blank

So I tried a test and set the sites https URL as the default page when starting. All seems OK

It is making little sense to me Mark, it should be working fine, I will try again later. Did you see the small video clip above ?

John

**Wayne Luke** · Mon 2 Dec '19, 7:10am

What is the security policy that you're using?

It isn't missing a cache. The Login box is a separate call to the server and loaded in an iframe. If you block iframes improperly, it can cause problems. Your hosting provider may have provided a security policy to your site without your knowledge.

**john_rsd** · Tue 3 Dec '19, 9:06am

Wayne, but only for chrome ? No issues Edge or FF ? and after a page refresh in Chrome by bringing up another page first, Chrome works.

Could be a setting mys ide Wayne.

I will drop the site live to a few people and see what happens. Can only be what I have here or server so I will kick it around a bit first.

Thanks

John

Announcement

Cannot display pages correctly after change to HTTPS

Cannot display pages correctly after change to HTTPS

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics