Protect using SSL

[tiameg]

Not clear on exact steps of setting up ssl with latest v only.

Thanks

[HostBizLng]

tiameg,

 

I am not sure what do you mean by setting up SSL with latest version only? You setting up (install) your SSL on your server, where you host your WHMCS, and it has nothing to do with latest or any version of WHMCS. In general settings of you WHMCS you just set SSL URL where it asks and that's it. If your secure domain (to which SSL had been issued) is the same as your actual site domain, like I have, just put SSL URL in each field: SSL URL and Site URL, as I did. And if you want to force entire WHMCS to be connected through secure connection, then read this thread from the beginning, follow all steps, test it and see if it works for you, if it's not you are welcome to come back to this thread and make a post with an actual details and questions.

 

Sincerely,

Serg

[jeds]

Not clear on exact steps of setting up ssl with latest v only.

Thanks

 

I am running V4.02. Followed the steps in OP and it works fine.

 

Couple of observations in IE (Just upgraded to V8, no other to test):

It's interesting that IE bolds the "https" and the domain in the address bar.

Second, The downloads.php page is secured, and the download worked fine. Just hard to tell if the download itself (dl.php) was not, or if IE8 fixed the issue.

 

[easyhosting]

easyhosting,

 

Yes! Awareness raised and appropriate actions are taken. Your website pages weren't secure at the time I checked it though, but if you don't want to admit it, that's fine.

 

Note: You forced your non WHMCS pages to use secure connection, yet you haven't forced all your WHMCS pages to use secure connection yet, as it is still have non-secure pages with loggin fields.

 

Update: when I enter your address with http, manually, as that's what most internet users do (they don't type https by default) your website loads over non-secure connection, and after that the links I click they are non-secured. You need to go to the first post, and follow all the steps RPS suggested and then when your clients would simply type your URL without actually typing 'https' your website would force secure connection by default.

 

And that's the point of this thread!

 

So, do you still think that it is not important to use all WHMCS system pages over (https) secure connection?

 

Sicnerely,

Serg

 

i take offence at this. ALL my site pages are secure

[HostBizLng]

easyhosting,

 

No need to take offense. You read this thread, you communicated your opinion, then received response from us regarding your opinion; consequently, you took steps in further securing your site. Good luck with your business!

 

Sincerely,

Serg

[easyhosting]

easyhosting,

 

No need to take offense. You read this thread, you communicated your opinion, then received response from us regarding your opinion; consequently, you took steps in further securing your site. Good luck with your business!

 

Sincerely,

Serg

 

I did take offence as all my pages etc are secure and have been secure since setting up the website. their was a minor clitch when i changed servers.

 

I have been ontline trading for over 10 years and if i set a site up that will take customer details then the first thing i do id get a dedicated IP and SSL cert and secure the site.

[boifromoz]

Im having alot of trouble with this.....newbie to whmcs and never used SSL before...

 

Setup my cert no problems there it was pretty easy in WHM now just issues using the code in the first post im wondering if this is a problem because im using 4.02

 

Heres my current .htaccess un-edited and curious should the previous posts not apply to my version?:

 

RewriteEngine On

 

 

 

# Announcements

 

RewriteRule ^announcements/([0-9]+)/[a-z0-9_-]+\.html$ ./announcements.php?id=$1 [L,NC]

 

RewriteRule ^announcements$ ./announcements.php [L,NC]

 

 

 

# Downloads

 

RewriteRule ^downloads/([0-9]+)/([^/]*)$ ./downloads.php?action=displaycat&catid=$1 [L,NC]

 

RewriteRule ^downloads$ ./downloads.php [L,NC]

 

 

 

# Knowledgebase

 

RewriteRule ^knowledgebase/([0-9]+)/[a-z0-9_-]+\.html$ ./knowledgebase.php?action=displayarticle&id=$1 [L,NC]

 

RewriteRule ^knowledgebase/([0-9]+)/([^/]*)$ ./knowledgebase.php?action=displaycat&catid=$1 [L,NC]

 

RewriteRule ^knowledgebase$ ./knowledgebase.php [L,NC]

[boifromoz]

*again* I did have a nice comment which was deleted.........ANYWAYS,

 

a much shorter version *due to laziness* is, I been having alot of trouble using the code in the first post.

 

Im using V4.02 -Updated .htaccess code needed perhaps?

 

SSL Cert installed blah blah

 

seems to be a much different code that i got to what you guys have listed in previous posts.

Edited July 8, 2009 by boifromoz
gained a burst of energy to put more typing in

[bear]

*again* I did have a nice comment which was deleted.

 

Not deleted, auto-moderated. Now approved.

[racksurfer]

Assuming you therefore have your WHMCS in the 'root' of the sub-domain, I would guess that slight mod to the above should work ...

 

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://mysub.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://mysub.domain.com/$1 [R=301,L]

 

I have a installed a valid SSL . I have the exact code in my .htaccess. However, the page is partially encrypted. The admin section is fully secured. How is it I can't seem to get the all of my whmc pages fully protected.

 

Also a note that I have noticed is that, if someone redirects using cPanel's <redirect> option it get hung in Firefox. Does someone know, how and why it does that?

 

Spread the knowledge

[boifromoz]

any update would be nice my sites been up 5 minutes and already people are trying to break in

[redrat]

The answer to your first question,

I have a installed a valid SSL . I have the exact code in my .htaccess. However, the page is partially encrypted. The admin section is fully secured. How is it I can't seem to get the all of my whmc pages fully protected.

is most likely because of your WHMCS images not being secured. If you have integrated it other images may be implicated. Check the image URLs use https. Edited July 12, 2009 by redrat

[redrat]

Please ignore post #137 above. It was posted in error.

[racksurfer]

The answer to your first question,is most likely because of your WHMCS images not being secured. If you have integrated it other images may be implicated. Check the image URLs use https.

 

That could be, I use some images from a different site to feed my whmcs layout, but maybe i should copy them over and change the css.

 

I will try that later. I'll let update yeah.

[DedicatedPros]

That's primarily why you should use full urls in your designs, just link like this:

 

<img src="my/image/folders/image.png" alt="image" />

 

That way everything will work fine even if you change urls, or want to use the server while your DNS is propagating (ie. instead of domain.com/image.png, you'd want IP.XX.XX.XXX/image.png).

[bear]

That's primarily why you should use full urls in your designs, just link like this:

 

<img src="my/image/folders/image.png" alt="image" />

 

That way everything will work fine even if you change urls, or want to use the server while your DNS is propagating (ie. instead of domain.com/image.png, you'd want IP.XX.XX.XXX/image.png).

 

That isn't a "full URL", that's a document relative URL. There are three basic types of addressing.

• Document relative (starts with the file it's called from and traverses directories from there: (.file.gif or ./file.gif or file.gif or ../file.gif or ../directory/file.gif)
   
  
• Root relative, which starts from the lowest point in the heirarchy, the document root: (/file.gif or /directory/file.gif)
   
  
• Absolute (or "full") URL, which goes out to the web server to start looking. It's this that often breaks SSL when the coder forgets to make this httpS: https://example.com/file.gif or https://example.com/directory/file.gif

[DedicatedPros]

Sorry, I meant to write "you shouldn't" :> Can't edit the post, its too late

[rightalternative]

The above mentioned solution works only if WHMCS is installed under sub directory i.e. http://www.xyz.com/members, what if the installtion is under the main domain name i.e. http://www.xyz.com, what can be done ?

[rightalternative]

The above mentioned solution works only if WHMCS is installed under sub directory i.e. http://www.xyz.com/members, what if the installtion is under the main domain name i.e. http://www.xyz.com, what can be done ?

[DedicatedPros]

The above mentioned solution works only if WHMCS is installed under sub directory i.e. http://www.xyz.com/members, what if the installtion is under the main domain name i.e. http://www.xyz.com, what can be done ?

 

You just need to specify the correct folders, if the whmcs is installed under the root directory than all you need to do is edit the image location. The solution below will work if your image location is http://www.xyz.com/images/image.png:

<img src="images/image.png" alt="image" />

[Rae]

I just want to add to this thread with something I just encountered. We were having problems similar to what you were experiencing. The links were being forced from http to https and the pages were erring out.

 

Scenerio: Our SSL certificate is set to http://www.domain.com which in essence matches our website. Our website uses Joomla. The WHMCS program is installed as a subdirectory under our website's directory (http://www.domain.com/whmcs/). Joomla has its own .htaccess file. WHMCS has its own .htaccess file if you choose to use it for SEF purposes. We set the domain in the WHMCS general settings to be:

 

WHMCS System URL: http://www.domain.com/whmcs/

WHMCS SSL System URL: https://www.domain.com/whmcs/

 

When you clicked on a link the page would err out.

 

After spending hours checking the server for why this wasn't working correctly, this is what we found out.

 

First, because Joomla has its own .htaccess file which controls the entire domain/website, it was controlling the URL that any subdirectory would be using (including any .htaccess file that WHMCS was using). Furthermore, we had the configuration setting in Joomla set to "domain.com" not "www.domain.com." This was causing a mismatch for the settings in the WHMCS program. Basically, forcing any http://www.domain.com to domain.com which would then be forced back by WHMCS from domain.com back to http://www.domain.com. An endless loop.

 

Second, we found that we could force the entire WHMCS site to be secure by adding the "s" to all of the "http:" in the General Settings.

 

Additionally, if you have to make your downloads.php area not secure for it to work for downloads, it should work if you edit the template for the downloads links to hard-code the URLs as http://www.domain.com/whmcs/download.php, thus bypassing the SSL certificate.

 

I hope this provides additional help for some.

 

Best wishes,

Rae

[mafiosom]

Im using ver 4.02 and also encountered the same problem. When i enabled the SSL site on the general settings, most of the images on my client portal cannot be displayed. When using firefox the nav links doubled (IE and Chrome no problem ). I already checked the links on the template and im sure theyre all root relative links. I host images at the same folder (default)

 

view site

https://www.nsmonster.com/clientportal/whmcs/clientarea.php

 

Any suggestion? Ive also tried altering .htaccess file but it didnt work.

[quietfinn]

 

view site

https://www.nsmonster.com/clientportal/whmcs/clientarea.php

 

Any suggestion? Ive also tried altering .htaccess file but it didnt work.

 

I don't see any problems there... or maybe you figured it out already?

[annomander]

A quick question, my site is totally built around WHMCS, I'm just in the process of obtaining a SSL cert for the site,

 

as I only want to protect certain areas of WHMCS, eg,register, purchases, login etc, as you can imagine I don't require my custom template pages to be protected, so does WHMCS automatically decide which parts need to be https and which parts need to be http, or do I need to fiddle with the htaccess file? iI'm currently using a htaccess redirect for seo purposes so that all http://site traffic is directed to http://www.site

 

 

cheers

[HostBizLng]

Hello annomander,

 

If your custom pages do not transmit sensitive customer information over the internet, I believe you are good. WHMCS does forces secure (https) connection by default on registration page, shopping cart, and loggin page. The only reason this thread was started is because of mainly loggin fields on other unsecured pages and other forms that might transmit sensitive information on pages other than registration, shopping cart, and client loggin pages.

 

Besides that, in my personal case, as I set my website to force entire website over secure (https) connection, I began to like the idea of showing my customers that my website is secure. As every page of my website is transmitted over secure https connection, my customers are able to see and verify my SSL certificate at any time, while browsing any page of my website. It might not be that important to force entire website over https connection, but I believe that in times when online security is a big concern to online consumers, it is one of the steps that I made, small but none the less reassuring one. Also, besides forcing entire website over https connection, I hosted entire website under subdomain https://secure.mydomain.com,'>https://secure.mydomain.com, so no matter on which page my customers are they always see https://secure...

 

Sincerely,

 

Serg