Redirect Issue

[RPS]

I would like to force https for everyone who tries to access WHMCS.

 

Assuming WHMCS is installed at http://www.domain.com/whmcs

 

The following htaccess code has worked for many months with another billing system, however, it spits out a 443 redirect error when I try to access the client side:

 

https://www.domain.com/whmcs/

 

However, the admin side works fine with the redirect

 

https://www.domain.com/whmcs/admin

 

I edited "Configuration > General > WHMCS System URL" to use https, then tried with just http

 

Then I did the same test trails for "WHMCS SSL System URL" and achieved the same result.

 

Here is my .htaccess code... (the same code works when I change the whmcs folder name to another folder)

 

# Rewrite the URL for billing to always use https PART 1
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

# Rewrite the URL for billing to always use https PART 2
RewriteCond %{REQUEST_URI} ^/whmcs[NC]
RewriteCond %{REQUEST_URI} !^/whmcs/ [NC]
RewriteRule ^(.*)$ https://www.domain.com/$1/ [R=301,L]

[RPS]

In the above post (that I can't edit), I mentioned 443 when it should be 301 as the error.

[RPS]

This seems to be solved when I set "WHMCS SSL System URL" to empty and use the above .htaccess rules.

 

I guess the issue is somewhere with the redirect with the https textbox.

[Matt]

When you have an SSL url entered into WHMCS, WHMCS will automatically do the redirect for you to SSL on pages containing any sensitive information and use non-SSL for pages that don't eg. knowledgebase, server status, etc... So you were putting in place a redirect that acts against the WHMCS one causing an invalid loop of redirects hence the error.

 

Matt

[chickendippers]

Yes, leaving the SSL system url blank will cause callback problems, problems accessing knowledgebase and server status, and problems downloading pdf invoices.

[RPS]

The ideal situation is to have the entire whmcs install use SSL throughout the system. So the order page is SSL, the client area page is SSL, etc..

 

Matt, can you clarify how I can do this via WHMCS, or if I disable WHMCS redirection (by not inputting an https address), will what chickendippers said above hold true with the problems, or will WHMCS redirect correctly?

[Matt]

That's not the ideal situation - it's just a waste of resources - but if that's what you want to do, then you do exactly what you have done. WHMCS won't redirect at all if you leave the SSL System URL blank so no, what chickendippers said is not the case.

 

Matt

[RPS]

When my clients login to our website, I would much rather have the login pages secured. What extra resources do SSL connections take up? I'm not familiar with this...

[Matt]

When my clients login to our website, I would much rather have the login pages secured. What extra resources do SSL connections take up? I'm not familiar with this...

Which is exactly what the WHMCS auto-switching does. It's pages that contain no sensitive information like announcements, knowledgebase, server status, etc... that are served in non-ssl.

 

Matt

[chickendippers]

Sorry, I meant to say if you leave the non-SSL path blank, but fill in the SSL path you will have those problems.

[RPS]

Which is exactly what the WHMCS auto-switching does

- Not for me... Pages with my install of WHMCS that contain login areas are not all protected. The login appears on just about every page I think, and it's on the left hand side. Is this a bug? Or just a misunderstanding regarding how it is supposed to work?

 

Thanks for clarifying that chicken