Protect using SSL

[benblee]

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://subdomain.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://subdomain.domain.com/$1 [R=301,L]

 

I tried this method and all seemed to work fine except that my serverstatus.php page would not show server load and server uptime. I did not wait until the cron task ran to see if it was affected too. I also added the following to see if it would ignore the request to run serverstatus.php in https or http and show the values, but it did not work:

RewriteCond %{REQUEST_URI} ^/serverstatus.php [NC]

 

I could very well have done something wrong here as my whmcs installation is on a subdomain of the form subdomain.domain.com instead of domain.com/subdomain. This was just what I noticed.

[Blueberry3.14]

With the current way WHMCS handles SSL, your clients can log in on pages that are not via SSL. There are also other areas that WHMCS forces to use http instead of https (I believe the announcements and knowledgebase are both without https).

 

You can use .htaccess to force everything to happen via https, however, file downloads will NOT work if this is the case.

 

When you try to download a file using rewrite rules that forces your URL to be https, IE has an issue with downloading files (in this case, the downloads page).

 

Open 'Configuration' -> 'General Configuration'

Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)

Set WHMCS SSL System URL to empty

 

The follow code (which you should place inside your .htaccess file), will force all requests to the WHMCS folder to be done via https, unless it is the whmcs/dl.php file.

 

The code after, will force the whmcs/dl.php to redirect from https to http.

 

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

 

You ROCK! I was trying to do the same thing, but was missing a couple of steps (mainly the downloads issue). Thank you so much for this.

[mediademon]

Thanks from me too!

 

Works great with IIS and ISAPI_Rewrite too!

 

Just need to remove the "Options +FollowSymLinks" Apache directive...

[Dannyarr]

I tried this method and all seemed to work fine except that my serverstatus.php page would not show server load and server uptime. I did not wait until the cron task ran to see if it was affected too. I also added the following to see if it would ignore the request to run serverstatus.php in https or http and show the values, but it did not work:

RewriteCond %{REQUEST_URI} ^/serverstatus.php [NC]

 

I could very well have done something wrong here as my whmcs installation is on a subdomain of the form subdomain.domain.com instead of domain.com/subdomain. This was just what I noticed.

 

Having the same problem. Did you manage to find a fix?

[mediademon]

#Rewrite the URL for WHMCS to always use https except for the certain files
RewriteCond %{REQUEST_URI} !^/serverstatus.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.yourdomain.com/pathtowhmcs/$1 [R=301,L]

#Rewrite the URL for certain WHMCS files to always use http
RewriteCond %{REQUEST_URI} ^/serverstatus.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.yourdomain.com/pathtowhmcs/$1 [R=301,L] 

Do you have it entered twice like above?

[Dannyarr]

Yes. Not sure why it's not working.

[VuDo0]

Thanks in advance. It really helped.

 

Regards,

John.

[ivaserver]

Works great thanks

[apollo1]

When you bring your car into the mechanic shop, do you simply tell the mechanic that your car "isn't working" ?

 

I do!

[stirton]

Stirton,

 

I have tested it and this code works like a charm when you put it in the htaccess file.

 

Thanks again.

 

Martin

 

Hi Martin,

 

Sorry I didn't reply earlier ... and I'm glad you're up and running.

 

All the best

Neil

[jdk]

Does this work with the newest update of WHMCS? I was using something like this and users were unable to login. I removed it and it worked. I converted back to the previous version and it worked too.

[mediademon]

Not working for me...

[bonked]

This worked great, except the address bar should turn green/blue when someone goes to the SSL (i payed extra). The blue address bar works in the Admin area, do you know how i can get it to work throughout the whole system?

[RPS]

Are you talking about in FF how it turns green when you are on an HTTPS connection?

 

If so, WHMCS has nothing to do with FF. It can't tell FF to turn green, blue, or change to any color...

 

If you followed the steps to make the page HTTPS, and FF's bar is still not green, then you may want to take it up with your SSL provider.

[bonked]

Well, when i click on the information, it says the page is partially encrypted. Maybe thats why?

 

What should I do to encrypt it fully, like the admin area has?

 

P.S.

 

I added:

 

RewriteEngine on

Options +FollowSymlinks

 

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file

RewriteCond %{REQUEST_URI} !^dl.php [NC]

RewriteCond %{REQUEST_URI} ^ [NC]

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^(.*)$ https://cp.valencehosting.com/$1 [R=301,L]

 

#Rewrite the URL for WHMCS dl area to always use http

RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]

RewriteCond %{SERVER_PORT} !^80$

RewriteRule ^(.*)$ http://cp.valencehosting.com/$1 [R=301,L]

 

to .htaccess in my WHMCS folder, as well as the root directory. All the pages are now https://, but like I said, their still only partially encrypted.

Edited January 28, 2009 by bonked

[RPS]

You may want to post your question with more details in a new thread.

 

I know that there are a few pages that are hard coded to NOT be over https. I don't remember what they are, but last time I checked, this htaccess code should fix it.

[xenorhosting]

I've done this. However when you visit my link (http://www.xenorhosting.com/billing) it just redirects to a http not https.

[RPS]

Your cert is installed for https://xenorhosting.com not https://www.xenorhosting.com

[Caffeine]

I followed the directions above. Here is my linke:

 

http://www.xfragging.com/clients

 

The problem is when people go there IE asks if I want to display some secure and non-secure items. I really need everything to be secure, which is what I thought editing the .htaccess file would do Does anyone have any suggestions?

 

Here is my .htaccess file:

 

# Use PHP5 Single php.ini as default

AddHandler application/x-httpd-php5s .php

RewriteEngine on

Options +FollowSymlinks

 

#Rewrite the URL for clients to always use https except for the clients/dl.php file

RewriteCond %{REQUEST_URI} !^/clients/admin/cron.php [NC]

RewriteCond %{REQUEST_URI} !^/clients/dl.php [NC]

RewriteCond %{REQUEST_URI} ^/clients/ [NC]

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

 

#Rewrite the URL for clients dl area to always use http

RewriteCond %{REQUEST_URI} !^/clients/admin/cron.php [NC]

RewriteCond %{REQUEST_URI} ^/clients/dl.php [NC]

RewriteCond %{SERVER_PORT} !^80$

RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

 

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.xfragging.com$

RewriteRule ^order/?$ "http\:\/\/xfragging\.com\/order\/order\.php" [R=301,L]

 

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.xfragging.com$

RewriteRule ^gspanel$ "http\:\/\/69\.31\.15\.186\/" [R=301,L]

 

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.xfragging.com$

RewriteRule ^oadmin$ "http\:\/\/xfragging\.com\/order\/admin\/" [R=301,L]

 

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.xfragging.com$

RewriteRule ^forums$ "http\:\/\/www\.xfragging\.com\/forum" [R=301,L]

 

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.xfragging.com$

RewriteRule ^chat/download$ "http\:\/\/www\.livezilla\.net\/downloads\/files\/LiveZilla_3\.1\.7\.11_Setup\.exe" [R=301,L]

 

RewriteCond %{HTTP_HOST} ^my.xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.my.xfragging.com$

RewriteRule ^/?$ "http\:\/\/69\.31\.15\.186" [R=301,L]

 

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.xfragging.com$

RewriteRule ^/?$ "https\:\/\/xfragging\.com\/order\/order\.php" [R=301,L]

[bear]

@Caffiene:

Replied here with the reason you're seeing non-ssl content errors: http://forum.whmcs.com/showpost.php?p=91149&postcount=2

[Caffeine]

@Caffiene:

Replied here with the reason you're seeing non-ssl content errors: http://forum.whmcs.com/showpost.php?p=91149&postcount=2

 

Thank you bear!! You are amazing!

[ChrisGooding]

Just to add what bear has said in his other thread as it will no doubrt come up again.

 

It isnt always apparent in your files what to change. For example its not just images that will cause this issue, pieces of java code that are called, includes files of function files also cause this to happen.

 

Basically use the rule of thumb that if you use refer to ANY file or image on your web page, and use it in your template, have a duplicate copy of it ALL in your template directory

[Caffeine]

Alright, thank you!

[bonked]

I figured out: you need to have ALL objects on the page within your SSL area. This means you can not have unsecured items on your website...otherwise your page will only be partially encrypted.

[zigzap]

I've been playing with securing WHMCS as much as possible but pretty much given up on using https with anything other than the admin directory. It seems Cpanel pushes both https and http traffic through port 80 so a simple detection via Apache or PHP only causes an infinite loop. Also since I was asked to temporarily redirect an "admin" folder to the new admin page I have included that below as well.

 

Here is what I ended up using for my install.

 

# SSL Admin Folder
RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} myadminfoldername
RewriteRule ^(.*)$ https://my.domain.com/$1 [R,L]
Options +FollowSymlinks

 

# Redirect Admin Folder
Redirect /admin/ https://my.zigzap.com/myadminfoldername
Redirect /admin https://my.zigzap.com/myadminfoldername