Protect using SSL

[HostBizLng]

RPS,

 

Ok, I see what you mean. No, it's not redirecting from http to https if URL path with http request is typed manually into browser, but all my WHMCS links are based on and directed through secure https request (on click). Nevertheless, now I see the reason to edit .htaccess file.

 

Thank you RPS!

 

Sincerely,

Serg

Edited May 26, 2009 by HostBizLng

[RPS]

No worries

 

I just don't want my clients to be able to login on a page that doesn't have a secure browser lock icon. It's not the potential lack of security, it's the fact that the client see's the info is being enter in on a non-secure connection.

[HostBizLng]

Hello,

 

Maybe I am missing something, but I followed the steps in first post, and tried different ways to edit .htaccess, but I cannot make it work, and no matter what I do my site has no changes whatsoever, it just doesn't changes anything, as if I did not edit .htaccess at all.

 

Sincerely,

Serg

[RPS]

You should contact the admins of the server and find out why .htaccess isn't working.

[HostBizLng]

Hi RPS,

 

Ok, I gave it some time, and tried again. Now it's working like a charm. It turned out I was editing wrong .htaccess file. (still learning)

 

Thank you for your help!

 

I would note though, that it works just as it should, without any issues, but I did not followed all the steps you listed in your initial post. I did not leave blank 'WHMCS SSL system URL'. I don't know what this step actually accomplishes, but let me know if it is important. Other than that it works great!

 

Sincerely,

Serg

[RPS]

I did not leave blank 'WHMCS SSL system URL'. I don't know what this step actually accomplishes, but let me know if it is important. Other than that it works great!

- I don't remember why that step was involved. Please go through your WHMCS and make sure that everything works. It was probably listed as a step for a very important reason. It's been awhile so I don't remember exactly what that reason was.

[HostBizLng]

RPS,

 

I did check, and it works fine. Another thing though, is a bout downloads page. I understand that main concern that brought this fix around is non-secure pages that might transmit sensitive information, but what about downloads page? In V4 portal template there's a login fields on the side of every page including downloads page. Now, I still want to try to test downloads over secure connection on different browsers and see how bad it is. Otherwise, login fields would have to be removed from downloads page. I still don't feel comfortable about leaving downloads page non-secure. Besides, I might be wrong, while customer logged in, even on downloads page in V4 there's that customers personal info being transmitted on the side of the page. It might be removed from dl page too, I guess.

 

And what is the difference between downloads.php and dl.php? I have both in my WHMCS. Which exactly have to be edited in htaccess file? I did downloads.php and it works, but just wondering, since in your initial post you noted about dl.php?

 

Thank you.

 

Sincerely,

Serg

Edited May 27, 2009 by HostBizLng

[RPS]

I believe the dl.php file is used to serve up the downloads. The downloads.php just displays the available downloads.

 

If you remove the stuff in the .htaccess regarding the dl.php page, it should send everything with forced encryption, and the download should fail in IE.

 

I haven't tried this on the latest version, but you can give it a shot and see how it works on your end.

 

Which exactly have to be edited in htaccess file?

- All you have to do is follow what's in the first post. Don't add/remove anything else, just use it exactly as it appears. Edit the domain name setting, and you should be set.

[HostBizLng]

RPS,

 

Thank you for clarifying about 'downloads.php' and 'dl.php.'

 

Concerning IE, I took little time to test it, but unfortunately I still don't understand what's the problem with using downloads (dl.php) over secure connection in IE. I tested downloads on IE 6 & 7, both over secure connection and non-secure (with .htaccess and without, although, with .htaccess IE properties information still stated that dl.php was connected through secure connection??? That's would be another concern ) But anyway, I tested to download PDF, ZIP, and Exe files, but did not have any issues either over secure connection nor over non-secure connection.

 

What exactly is the issue with IE, and with which versions exactly? If someone actually experienced problems, please be so kind to reply. Otherwise, what are we talking about here? I knew that "some" people experienced some issues with "downloading in general" while using IE, not just over secure connection, but does it mean that everyone is experiencing these issues? No, because there's always some people who experiences issues where they actually shouldn't experience any, and then they 'blow a whistle' without getting to the bottom of it and finding an actual cause of the problem (I know that from personal experience and self-reflection, I was like that too ).

 

Sincerely,

Serg

Edited May 28, 2009 by HostBizLng

[RPS]

Here's a way to test it...

 

1) Use the exact example inside the .htaccess of the OP

2) Using IE6 and IE7, go to the downloads page and download a zip file

3) Now edit the .htaccess and remove the line regarding the downloads, the new .htaccess should look like this:

 

RewriteEngine on

Options +FollowSymlinks

 

#Rewrite the URL for WHMCS to always use https

RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

 

Repeat step 2 and report back.

[HostBizLng]

Yes, Just did what you asked me, but did not have any issues with downloads using IE. Maybe after all it's also about the upgrades, patches, and fixes that I been installing a long time ago. You know a lot of people do not bother themselves with upgrading and installing fixes and patches.

 

Anyway, I would leave this for later.

 

But would you mind accessing your site with edited .htaccess (just like in your first post) through IE, go to downloads and click to download file (without actually trying to download it) then click File>Properties and tell me what kind of connection Properties states dl.php is using. I would appreciate it. Because mine according to Properties seems still using secure connection.

 

Sincerely,

Serg

[RPS]

I don't have the latest version of WHMCS up yet.

 

Could you set up your install with:

 

RewriteEngine on

Options +FollowSymlinks

 

#Rewrite the URL for WHMCS to always use https

RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

 

and then PM me a link to download a zip file?

[RPS]

Serg,

 

Thanks for the PM. I verified that the downloads and every other area within WHMCS was forced to use SSL on YOUR installation. Assuming you have not changed anything, and followed directions exactly as I mentioned, then the issue is now resolved.

 

I verified this in IE 6 and IE 7.

 

I'd like to get one other person to verify it before I update my first post.

 

One of my clients runs WHMCS, so I think I'll be able to get him to test it out too.

 

Thanks for going through it all!

[HostBizLng]

No problem RPS,

 

Anything I can do to make WHMCS to run smoothly.

 

By "... issue is now resolved" did you mean the issue is might have been resolved in V4? If yes, then I agree with you, I thought about this issue might have been resolved in V4 to begin with. And that would be great if other V4 users would take little time to test their V4 installations just the way we did, to confirm that it actually an improvement in V4.

 

To all WHMCS users: If you conducted suggested by RPS (bellow) test in V4 with IE, please let us know your results in this thread. Thank you!

Here's a way to test it...

 

1) Use the exact example inside the .htaccess of the OP

2) Using IE6 and IE7, go to the downloads page and download a zip file

3) Now edit the .htaccess and remove the line regarding the downloads, the new .htaccess should look like this:

RewriteEngine on

Options +FollowSymlinks

 

#Rewrite the URL for WHMCS to always use https

RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^(.*)$

https://www.domain.com/$1

[R=301,L]

Repeat step 2 and report back.

Sincerely,

Serg

Edited May 28, 2009 by HostBizLng

[easyhosting]

why have the whole of WHMCS as https. as long as the ordering process etc is done under https then everything is OK.

 

I us an SSL with my WHMCS and have no problems.

[RPS]

why have the whole of WHMCS as https. as long as the ordering process etc is done under https then everything is OK.

 

I us an SSL with my WHMCS and have no problems.

- See post: http://forum.whmcs.com/showpost.php?p=106232&postcount=102

[easyhosting]

- See post: http://forum.whmcs.com/showpost.php?p=106232&postcount=102

 

i use https and a clients signs in they are withn the https area so it is secure.

[HostBizLng]

easyhosting,

 

I am using V4, and in V4 portal template there are loggin fields on every single page throughout the system (I mean every single page.) And I love it about V4. And It's not secure to transmit loggin information over non-secure connection. Or is it ?

 

The other thing, internet security becomes a big issue when it comes to conducting business online, and I would love to build my entire online business to be as secure as possible, and use it as part of my company's image. And when it comes to serious clients, it is so easy to loose them if they suspect that it is not secure to conduct business through not-so-secure-website. If you don't care about that it's up to you.

 

I use SSL with my WHMCS and have no problems either but just want to make it more secure.

 

How much of security on the internet do you think is enough?

 

Sincerely,

Serg

Edited May 28, 2009 by HostBizLng

[HostBizLng]

easyhosting,

 

Haha I just went to your website, and you have client loggin fields on many non-secure pages. So how is it makes your website secure?

 

Update: And Actually, I went back and realized that when I clicked on clients and order links, your system does not forces secure connection by default. How about that?

 

Update: An just a heads up, I counted 11 non-secure pages on your website that would transmit your client's loggin info over non-secure connection!!!

 

Sincerely,

Serg

Edited May 28, 2009 by HostBizLng

[easyhosting]

easyhosting,

 

Haha I just went to your website, and you have client loggin fields on many non-secure pages. So how is it makes your website secure?

 

Update: And Actually, I went back and realized that when I clicked on clients and order links, your system does not forces secure connection by default. How about that?

 

Update: An just a heads up, I counted 11 non-secure pages on your website that would transmit your client's loggin info over non-secure connection!!!

 

Sincerely,

Serg

 

You can go to my site https://easyasabc-hosting.com/ and find ALL pages are secure.

[HostBizLng]

easyhosting,

 

Yes! Awareness raised and appropriate actions are taken. Your website pages weren't secure at the time I checked it though, but if you don't want to admit it, that's fine.

 

Note: You forced your non WHMCS pages to use secure connection, yet you haven't forced all your WHMCS pages to use secure connection yet, as it is still have non-secure pages with loggin fields.

 

Update: when I enter your address with http, manually, as that's what most internet users do (they don't type https by default) your website loads over non-secure connection, and after that the links I click they are non-secured. You need to go to the first post, and follow all the steps RPS suggested and then when your clients would simply type your URL without actually typing 'https' your website would force secure connection by default.

 

And that's the point of this thread!

 

So, do you still think that it is not important to use all WHMCS system pages over (https) secure connection?

 

Sicnerely,

Serg

Edited May 28, 2009 by HostBizLng

[HostBizLng]

Example: type your URL with 'http' without typing 'https' or without typing http nor https, just your URL, as all browsers use http request by default, and see if your site forces secure connection. If it's not, go to the first post of this thread.

 

Sincerely,

Serg

Edited May 28, 2009 by HostBizLng

[RPS]

Serg is right, you should force https for when people visit the http and have to enter confidential info. Client's aren't smart enough to tell the difference.

 

i use https and a clients signs in they are withn the https area so it is secure.

- Your clients will be able to enter their password on a page that doesn't have the secure lock icon. To me, that's a problem.

 

You can go to my site https://easyasabc-hosting.com/ and find ALL pages are secure.

- Yes, if the client manually adds the "s" to http, then you are right, it will be secure. However, most of my client's don't even know what HTTPS means. They know they are secure when the browser shows a lock.

 

Without a lock icon, they believe hackers may be able to steal their information.

[CodeX]

So I have followed everything on here, client area/support pages, the lot are protected just fine, but now I'm wondering if its possible to secure the WHMCS admin log in page ?

 

Is this done by securing the entire WHMCS Dir or can you specify this page alone in the .htaccess file.

 

Ty,

-Sam.B

[HostBizLng]

Codex,

 

As long as your secure sub-domain is the same you issued you WHMCS license to, then you don't have to do anything to access admin area through your SSL.

 

Sincerely,

Serg