Jump to content

Protect using SSL

RPS

By RPS
in Third Party Add-ons

 Share

Recommended Posts

RPS Senior Member

RPS

Posted
Posted

With the current way WHMCS handles SSL, your clients can log in on pages that are not via SSL. There are also other areas that WHMCS forces to use http instead of https (I believe the announcements and knowledgebase are both without https).

 

You can use .htaccess to force everything to happen via https, however, file downloads will NOT work if this is the case.

 

When you try to download a file using rewrite rules that forces your URL to be https, IE has an issue with downloading files (in this case, the downloads page).

 

Open 'Configuration' -> 'General Configuration'

Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)

Set WHMCS SSL System URL to empty

 

The follow code (which you should place inside your .htaccess file), will force all requests to the WHMCS folder to be done via https, unless it is the whmcs/dl.php file.

 

The code after, will force the whmcs/dl.php to redirect from https to http.

 

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

0
Link to comment
Share on other sites
  • Replies 175
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

  • 2 weeks later...
RPS Senior Member

RPS

Posted
  • Author
Posted
well im my own host, so how do i do it. i have full access cpanel.

- Ask in cPanel forums or WHT, not here in WHMCS. It's a hosting problem. Honestly though, if you don't know how to manage your server, you need to hire a server admin.

0
Link to comment
Share on other sites
  • 4 weeks later...
RPS Senior Member

RPS

Posted
  • Author
Posted
Is this fix still necessary with the release of Version 3.6?

- It is only required if you want to protect your pages via SSL. WHMCS only protects certain pages, I feel that more should be under SSL.

0
Link to comment
Share on other sites
danami Senior Member

danami

Posted
Posted

The big problem with the current implementation of WHMCS is that when you set the SSL URL it should actually force you to use SSL when viewing the admin backend.

 

Right now even with the SSL URL set .. an admin can login and view client/data, CC's all not using SSL.

 

Might be a good idea to change this, but if you are using SSL you should add this to your .htaccess (make sure that mod_rewrite is enabled) to redirect all admin access to go over SSL:

 

# Force SSL over admin area
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^whmcs/admin(/.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

0
Link to comment
Share on other sites
Blitztek - Sergio Junior Member

Blitztek - Sergio

Posted
Posted
The big problem with the current implementation of WHMCS is that when you set the SSL URL it should actually force you to use SSL when viewing the admin backend.

 

Right now even with the SSL URL set .. an admin can login and view client/data, CC's all not using SSL.

 

Might be a good idea to change this, but if you are using SSL you should add this to your .htaccess (make sure that mod_rewrite is enabled) to redirect all admin access to go over SSL:

 

# Force SSL over admin area
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^whmcs/admin(/.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

 

I have done as the OP instructed to do. However, I do not need to make the .htaccess file with all that code (from OP, and yours). But everything still goes over SSL (pages are all secure -- including the downloads page.

 

Is this something that happens from within the system (pages not encrypted), or do i have to write the .htaccess file.

 

Currently, if i have WHMCS system url as just http, and the SSL system url as 'https', the pages will NOT secure, but the admin panel will be. (if you go to https page, it will redirect to http.

 

Any idea why?

 

Currently, i have system url as https, and ssl system url as http, and it works fine.

0
Link to comment
Share on other sites
RPS Senior Member

RPS

Posted
  • Author
Posted
However, I do not need to make the .htaccess file with all that code (from OP, and yours).

- Why not?

 

Is this something that happens from within the system (pages not encrypted), or do i have to write the .htaccess file.

- Some links WHMCS use will go over http...

 

Currently, if i have WHMCS system url as just http, and the SSL system url as 'https', the pages will NOT secure, but the admin panel will be. (if you go to https page, it will redirect to http.

- Instructions in OP say to:

 

Open 'Configuration' -> 'General Configuration'

Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)

Set WHMCS SSL System URL to empty

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept