How to Setup SSL for SimpleMachines Forum (SMF)

Having just gone thru this the first time myself, I thought I'd share my notes & explain each step (as best I can, anyway).
This is the stuff I wish I knew up front... Whether you are doing a new install or trying to diagnose an issue, follow these steps in sequence to get your site up & running.

These steps are generic enough to help you whether you are running under 2.0.x or 2.1.x.

(1.) Purchase & install your certificate. Yes, this is the first step. With a certificate installed, you can run either http:// or https://. If you do NOT have a certificate installed, you can only run http://. So...

If you do NOT have a certificate installed, and you change all your URLs to https://, your site will (POOF!) disappear... That's because your web server won't serve https:// content without the cert. Install the cert first...

(2.) Test your cert, to make sure it is installed & fully operational. There are lots of tools online that will help you confirm it works. One such tool: https://www.sslshopper.com/ssl-checker.html

(3.) Install an http to https redirect. Without the redirect, your web server will still attempt to serve up http:// upon request. So, for example, if you type in your forum's URL with http://, not https://, it will actually execute index.php insecurely. Themes probably won't work though, so you will probably get that weird, blank-page, text-only version of your site. A redirect will avoid lots of flaky behavior...

Here is a good, multi-purpose Apache example right here, that will redirect ALL http:// traffic to https://, and further, tell search engines this is a permanent change:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Save the above as a text file named .htaccess, and place it in the root folder of your site. If you already have an .htaccess file, copy & paste the above at the top of the file.

There are many other .htaccess examples out there, e.g., if you only want specific folders redirected. This may be helpful if you have multiple forums, each in separate folders, and only some are https. If you have such complicated needs, Google is your friend...

(4.) If installing... Run the installer using https:// Using https:// is pretty important, as all URL settings created by the installer are based relative to how you invoke the installer. Invoking the installer as https:// will make sure all of your URLs internally are https:// at the outset. If you run the installer with http://, you will have to fix this later using repair_settings.php.

(5.) If installing 2.1... Select the Force SSL option.

(6.) Run repair_settings.php. **MAKE SURE YOU USE THE RIGHT ONE** There is a different repair_settings.php for SMF 2.1 up on Github! Using repair_settings.php, confirm the following URLs are all setup with https://, not http://:
- $boardurl
- Your Smileys URL
- Your Avatars URL
- Your Custom Avatars URL (if you have one)
- Your Theme URL (one for each theme!!!!)
- Your Theme/Images URL (one for each theme!!!!)

Save your settings, exit, & delete repair_settings.php.

I run repair_settings.php just as a safety measure, just to make sure it all went as expected... I'm paranoid & like double-checking things...

(7.) If you were running 2.1 already, go to the Admin | Maintenance | Server Settings | General and choose "Force SSL throughout the forum" at the Forum SSL Mode prompt.

(8.) If running 2.0.14+, or 2.1, consider activating the image proxy. You probably want to do this if your site has mixed http:// & https:// content. This happens if your forum members share a lot of images from other websites. If there are mixed http:// and https:// images on the same webpage, you will at least get a security warning, & you will more likely get broken links. This is because some browsers will not serve mixed http:// & https:// content as a security feature. SMF's image proxy feature will download http:// images locally, so SMF can turn around and serve them up https://. No more 'mixed' content issues. This will significantly reduce broken links and security warnings on your site. If your forum members share lots of images, you probably want the image proxy enabled.

NOTE: The upgrader doesn't change anything - if it finds a site http://, it leaves it http://. If it finds a site with https://, it leaves it that way.

What do you do if you're still having issues? Run repair_settings.php again & triple-check all your URLs...

Repair_settings may be found here:

2.0:
https://wiki.simplemachines.org/smf/Repair_settings.php

2.1:
https://github.com/SimpleMachines/tools/blob/master/repair_settings.php