With the current way WHMCS handles SSL, your clients can log in on pages that are not via SSL. There are also other areas that WHMCS forces to use http instead of https (I believe the announcements and knowledgebase are both without https).

You can use .htaccess to force everything to happen via https, however, file downloads will NOT work if this is the case.

When you try to download a file using rewrite rules that forces your URL to be https, IE has an issue with downloading files (in this case, the downloads page).

Open 'Configuration' -> 'General Configuration'
Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)
Set WHMCS SSL System URL to empty

The follow code (which you should place inside your .htaccess file), will force all requests to the WHMCS folder to be done via https, unless it is the whmcs/dl.php file.

The code after, will force the whmcs/dl.php to redirect from https to http.

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

This worked great!, thanks.

Dave.

Agree with ruskyhost, this worked great. Was getting certificate error before I tried this now no problems. Thanks !!

This is not working for me. I did the config thing, edited the .htaccess and nothing. Someone help please...

What do you mean by "not working"

When you bring your car into the mechanic shop, do you simply tell the mechanic that your car "isn't working" ?

http://www.cod4gs.com/my/

Go try to order something with Google Checkout. You will see what I mean. I think the problem is that I have an old certificate on there, but I did not know how to check and take it off.

Help....

Your SSL cert is for dindarahosting.com, not cod4gs... You need to contact your host to fix this.

they dont know how.

they dont know how.
- Find a new host then :)

It's like asking your auto mechanic to replace your tire, and the guy looks at you and says "I don't know how to replace a tire"

well im my own host, so how do i do it. i have full access cpanel.

well im my own host, so how do i do it. i have full access cpanel.
- Ask in cPanel forums or WHT, not here in WHMCS. It's a hosting problem. Honestly though, if you don't know how to manage your server, you need to hire a server admin.

well im my own host, so how do i do it. i have full access cpanel.

Currently it appears you suspended your own site?

http//www.cod4gs.com/my/ (http://www.cod4gs.com/my/)
currently loads:
http://nsanewebhosting.org/suspended.page/

Maybe when he said he was his own host, he meant he was only a reseller?

Maybe when he said he was his own host, he meant he was only a reseller?

Yeah could be since they also said:

i have full access cpanel.

8)

Is this fix still necessary with the release of Version 3.6?

I should use ssl but I just am afraid it might make my pages slow

Is this fix still necessary with the release of Version 3.6?
- It is only required if you want to protect your pages via SSL. WHMCS only protects certain pages, I feel that more should be under SSL.

The big problem with the current implementation of WHMCS is that when you set the SSL URL it should actually force you to use SSL when viewing the admin backend.

Right now even with the SSL URL set .. an admin can login and view client/data, CC's all not using SSL.

Might be a good idea to change this, but if you are using SSL you should add this to your .htaccess (make sure that mod_rewrite is enabled) to redirect all admin access to go over SSL:


# Force SSL over admin area
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^whmcs/admin(/.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

how much should I buy ssl can any body please guide me?
I do not need the best one just the basic will do

thanks

Good Post.

jnet, simply search "ssl certificates" in Google, you will find tons of results.

how much should I buy ssl can any body please guide me?
I do not need the best one just the basic will do

thanks
Have a look at Namecheap.com (http://www.namecheap.com/learn/other-services/ssl-certificates.asp)

They have certs starting at $12.88

The big problem with the current implementation of WHMCS is that when you set the SSL URL it should actually force you to use SSL when viewing the admin backend.

Right now even with the SSL URL set .. an admin can login and view client/data, CC's all not using SSL.

Might be a good idea to change this, but if you are using SSL you should add this to your .htaccess (make sure that mod_rewrite is enabled) to redirect all admin access to go over SSL:


# Force SSL over admin area
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^whmcs/admin(/.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]


I have done as the OP instructed to do. However, I do not need to make the .htaccess file with all that code (from OP, and yours). But everything still goes over SSL (pages are all secure -- including the downloads page.

Is this something that happens from within the system (pages not encrypted), or do i have to write the .htaccess file.

Currently, if i have WHMCS system url as just http, and the SSL system url as 'https', the pages will NOT secure, but the admin panel will be. (if you go to https page, it will redirect to http.

Any idea why?

Currently, i have system url as https, and ssl system url as http, and it works fine.

However, I do not need to make the .htaccess file with all that code (from OP, and yours).
- Why not?

Is this something that happens from within the system (pages not encrypted), or do i have to write the .htaccess file.
- Some links WHMCS use will go over http...

Currently, if i have WHMCS system url as just http, and the SSL system url as 'https', the pages will NOT secure, but the admin panel will be. (if you go to https page, it will redirect to http.
- Instructions in OP say to:

Open 'Configuration' -> 'General Configuration'
Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)
Set WHMCS SSL System URL to empty

- Why not?

Because with just doing:

Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)
Set WHMCS SSL System URL to empty

It works fine without the .htaccess

All that code does in the .htaccess file is FORCE your admin users to use ssl. If you already call https then yes it will use it.

Without it you or your admin staff might forget to use https and your data will be sent unsecure.

It works fine without the .htaccess
- Oh ok.. I thought it wasn't working. Glad it works fine now :)

If I've my main site only as: https://whmcs.site.com and no SSL URL. It doesn't make any effect when someone types: http://whmcs.site.com, he will never be forced to use SSL.
Am I right ?

This thread is for protecting your pages via SSL. The code in the first post will force most pages to be SSL.

Is the script not working for you? Did you follow all of the steps?

Works perfect. Thank You :)

Works great, thank you very much.

This has resolved some issues I was worried about (such as the WHMCS Back end and SSL)

Worked well, glad to see this (I'm not htaccess-literate and wouldn't have known how to do this) as it greatly improves security.

I'll have to try it out. Thank you so much for sharing this!

The only issue i have with this is when i put the .htaccess in my cron jobs stop working, as soon as the code is put into the .htaccess for redirect the cron jobs are gone. Is there something i can put in to prevent this happening?.

The only issue i have with this is when i put the .htaccess in my cron jobs stop working, as soon as the code is put into the .htaccess for redirect the cron jobs are gone. Is there something i can put in to prevent this happening?.
- Try this untested code instead:

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

Btw, do you have an SSL cert currently installed?

Hi, this was a great tip. I used it and it works great. My .htaccess file was blank. I downloaded it to my desktop, added the code, named the file ht.txt, uploaded it to my server, then renamed the file .htaccess. Made the mods in the config area, and it works great.

Thanks for the post. Things are getting better all the time.

- Try this untested code instead:

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

Btw, do you have an SSL cert currently installed?


Yes i have a ssl cert installed and active.

When i put a .htaccess file into my public_html i get a Internal Server Error 500 error in WHMCS

Add each line in steps and see where the problem lies...

Start with this:

RewriteEngine on

Then

RewriteEngine on
Options +FollowSymlinks

Then

Then RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

I get the error as soon as i create the .htaccess file

I fixed it. Thanx for your help the mod worked.

Care to post the fix so the next person with the htaccess problem knows what to do?

Can someone guide me how to use this on a sub-domain?

So that I can use it on http:// sub.domain.com :roll:

Regards,
Martin

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} !^/whmcs/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L][/php]

Can someone guide me how to use this on a sub-domain?

So that I can use it on http:// sub.domain.com :roll:

Regards,
Martin

I second this, this code doesn't work if your using a subdomain.....and if your trying to protect it using ssl for the admin either. Any help would be greatly appreciated......

Is there non who can tell me (and others) how this can be done with a sub domain:?

Assuming you therefore have your WHMCS in the 'root' of the sub-domain, I would guess that slight mod to the above should work ...


RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://subdomain.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://subdomain.domain.com/$1 [R=301,L]

Stirton,

Thanks for the explanation, will trying it later and let know the outcome here.

Regards,
Martin

Assuming you therefore have your WHMCS in the 'root' of the sub-domain, I would guess that slight mod to the above should work ...

Stirton,

I have tested it and this code works like a charm when you put it in the htaccess file.

Thanks again.

Martin

Assuming you therefore have your WHMCS in the 'root' of the sub-domain, I would guess that slight mod to the above should work ...


RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://subdomain.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://subdomain.domain.com/$1 [R=301,L]

it works great. Thanks

I think you can actually simplify it down to about four lines (this is for the subdomain case):


RewriteEngine on

# Redirect WHMCS to secure server
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]


And as detailed in the first post, set your WHMCS SSL System URL to blank, with an https:// entry in the 'standard' system URL setting.

This works (including dl.php) in IE7, FireFox and Safari. I don't have IE6 to try anymore.

I think you can actually simplify it down to about four lines (this is for the subdomain case):


RewriteEngine on

# Redirect WHMCS to secure server
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]


And as detailed in the first post, set your WHMCS SSL System URL to blank, with an https:// entry in the 'standard' system URL setting.

This works (including dl.php) in IE7, FireFox and Safari. I don't have IE6 to try anymore.

This slims it down, but does it avoid the downloads section problem as mentioned in the very first post. I know most web people don't use IE, but most stats say that over 70% of we browser use is IE...so, I guess I have to cater to it for now:?

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://subdomain.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://subdomain.domain.com/$1 [R=301,L]


I tried this method and all seemed to work fine except that my serverstatus.php page would not show server load and server uptime. I did not wait until the cron task ran to see if it was affected too. I also added the following to see if it would ignore the request to run serverstatus.php in https or http and show the values, but it did not work:
RewriteCond %{REQUEST_URI} ^/serverstatus.php [NC]

I could very well have done something wrong here as my whmcs installation is on a subdomain of the form subdomain.domain.com instead of domain.com/subdomain. This was just what I noticed.

With the current way WHMCS handles SSL, your clients can log in on pages that are not via SSL. There are also other areas that WHMCS forces to use http instead of https (I believe the announcements and knowledgebase are both without https).

You can use .htaccess to force everything to happen via https, however, file downloads will NOT work if this is the case.

When you try to download a file using rewrite rules that forces your URL to be https, IE has an issue with downloading files (in this case, the downloads page).

Open 'Configuration' -> 'General Configuration'
Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)
Set WHMCS SSL System URL to empty

The follow code (which you should place inside your .htaccess file), will force all requests to the WHMCS folder to be done via https, unless it is the whmcs/dl.php file.

The code after, will force the whmcs/dl.php to redirect from https to http.

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

You ROCK! I was trying to do the same thing, but was missing a couple of steps (mainly the downloads issue). Thank you so much for this.

Thanks from me too!

Works great with IIS and ISAPI_Rewrite too!

Just need to remove the "Options +FollowSymLinks" Apache directive...

I tried this method and all seemed to work fine except that my serverstatus.php page would not show server load and server uptime. I did not wait until the cron task ran to see if it was affected too. I also added the following to see if it would ignore the request to run serverstatus.php in https or http and show the values, but it did not work:
RewriteCond %{REQUEST_URI} ^/serverstatus.php [NC]

I could very well have done something wrong here as my whmcs installation is on a subdomain of the form subdomain.domain.com instead of domain.com/subdomain. This was just what I noticed.

Having the same problem. Did you manage to find a fix?

#Rewrite the URL for WHMCS to always use https except for the certain files
RewriteCond %{REQUEST_URI} !^/serverstatus.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.yourdomain.com/pathtowhmcs/$1 [R=301,L]

#Rewrite the URL for certain WHMCS files to always use http
RewriteCond %{REQUEST_URI} ^/serverstatus.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.yourdomain.com/pathtowhmcs/$1 [R=301,L] Do you have it entered twice like above?

Yes. Not sure why it's not working. :/

Thanks in advance. It really helped.

Regards,
John.

Works great thanks

When you bring your car into the mechanic shop, do you simply tell the mechanic that your car "isn't working" ?

I do! :shock:

Stirton,

I have tested it and this code works like a charm when you put it in the htaccess file.

Thanks again.

Martin

Hi Martin,

Sorry I didn't reply earlier ... and I'm glad you're up and running.

All the best
Neil

Does this work with the newest update of WHMCS? I was using something like this and users were unable to login. I removed it and it worked. I converted back to the previous version and it worked too.

Not working for me...

This worked great, except the address bar should turn green/blue when someone goes to the SSL (i payed extra). The blue address bar works in the Admin area, do you know how i can get it to work throughout the whole system?

Are you talking about in FF how it turns green when you are on an HTTPS connection?

If so, WHMCS has nothing to do with FF. It can't tell FF to turn green, blue, or change to any color...

If you followed the steps to make the page HTTPS, and FF's bar is still not green, then you may want to take it up with your SSL provider.

Well, when i click on the information, it says the page is partially encrypted. Maybe thats why?

What should I do to encrypt it fully, like the admin area has?

P.S.

I added:

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^dl.php [NC]
RewriteCond %{REQUEST_URI} ^ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://cp.valencehosting.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://cp.valencehosting.com/$1 [R=301,L]

to .htaccess in my WHMCS folder, as well as the root directory. All the pages are now https://, but like I said, their still only partially encrypted.

You may want to post your question with more details in a new thread.

I know that there are a few pages that are hard coded to NOT be over https. I don't remember what they are, but last time I checked, this htaccess code should fix it.

I've done this. However when you visit my link (www.xenorhosting.com/billing) it just redirects to a http not https.

Your cert is installed for https://xenorhosting.com not https://www.xenorhosting.com

I followed the directions above. Here is my linke:

www.xfragging.com/clients

The problem is when people go there IE asks if I want to display some secure and non-secure items. I really need everything to be secure, which is what I thought editing the .htaccess file would do :? Does anyone have any suggestions?

Here is my .htaccess file:

# Use PHP5 Single php.ini as default
AddHandler application/x-httpd-php5s .php
RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for clients to always use https except for the clients/dl.php file
RewriteCond %{REQUEST_URI} !^/clients/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} !^/clients/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/clients/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for clients dl area to always use http
RewriteCond %{REQUEST_URI} !^/clients/admin/cron.php [NC]
RewriteCond %{REQUEST_URI} ^/clients/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.xfragging.com$
RewriteRule ^order/?$ "http\:\/\/xfragging\.com\/order\/order\.php" [R=301,L]

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.xfragging.com$
RewriteRule ^gspanel$ "http\:\/\/69\.31\.15\.186\/" [R=301,L]

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.xfragging.com$
RewriteRule ^oadmin$ "http\:\/\/xfragging\.com\/order\/admin\/" [R=301,L]

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.xfragging.com$
RewriteRule ^forums$ "http\:\/\/www\.xfragging\.com\/forum" [R=301,L]

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.xfragging.com$
RewriteRule ^chat/download$ "http\:\/\/www\.livezilla\.net\/downloads\/files\/LiveZilla_3\.1\.7\.11_Setup\.exe" [R=301,L]

RewriteCond %{HTTP_HOST} ^my.xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.my.xfragging.com$
RewriteRule ^/?$ "http\:\/\/69\.31\.15\.186" [R=301,L]

RewriteCond %{HTTP_HOST} ^xfragging.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.xfragging.com$
RewriteRule ^/?$ "https\:\/\/xfragging\.com\/order\/order\.php" [R=301,L]

@Caffiene:
Replied here with the reason you're seeing non-ssl content errors: http://forum.whmcs.com/showpost.php?p=91149&postcount=2

@Caffiene:
Replied here with the reason you're seeing non-ssl content errors: http://forum.whmcs.com/showpost.php?p=91149&postcount=2

Thank you bear!! You are amazing!

Just to add what bear has said in his other thread as it will no doubrt come up again.

It isnt always apparent in your files what to change. For example its not just images that will cause this issue, pieces of java code that are called, includes files of function files also cause this to happen.

Basically use the rule of thumb that if you use refer to ANY file or image on your web page, and use it in your template, have a duplicate copy of it ALL in your template directory :)

Alright, thank you!

I figured out: you need to have ALL objects on the page within your SSL area. This means you can not have unsecured items on your website...otherwise your page will only be partially encrypted.

I've been playing with securing WHMCS as much as possible but pretty much given up on using https with anything other than the admin directory. It seems Cpanel pushes both https and http traffic through port 80 so a simple detection via Apache or PHP only causes an infinite loop. Also since I was asked to temporarily redirect an "admin" folder to the new admin page I have included that below as well.

Here is what I ended up using for my install.

# SSL Admin Folder
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} myadminfoldername
RewriteRule ^(.*)$ https://my.domain.com/$1 [R,L]
Options +FollowSymlinks

# Redirect Admin Folder
Redirect /admin/ https://my.zigzap.com/myadminfoldername
Redirect /admin https://my.zigzap.com/myadminfoldername

I am planning to buy SSL certificate (cheap one) and try the code in this thread - I am wondering where I need to install SSL certificate before I can try following instructions for this secure folder which is whmcs.

It is best to have an SSL cert already installed.

I am planning to buy SSL certificate (cheap one) and try the code in this thread - I am wondering where I need to install SSL certificate before I can try following instructions for this secure folder which is whmcs.

You could install a self signed one for the time being to test, no?!

Thanks... I have now added SSL protection to admin area but do not really get the problem with clients logging in while not under the protection of SSL.

do not really get the problem with clients logging in while not under the protection of SSL.
- Some clients believe that when they enter confidential information into a page that does not have that secure lock on the browser, that their information is no secure.

very effective indeed thanks for the post

Weird error..

When I add the .htaccess file editing it changes all the links on my website, when all I want it to do is change the whmcs links.

Since it changes, all the links I get 404 Page not found error messages.

Can you please copy/paste your .htaccess file in here? Please don't change ANYTHING. If you want to leave personal information out, you could just PM it to me so only I can see it.

Anyone can give example htaccess for subdomain?
Let's say I have whmcs installed on https://my.server.com

Is there htaccess below correct? Assuming I put in in my /public_html/ folder and my.server.com is pointed to server.com/my/

Also, dl.php = downloads.php right?


#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/my/downloads.php [NC]
RewriteCond %{REQUEST_URI} ^/my/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://my.elevatedservers.net/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/my/downloads.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://my.elevatedservers.net/$1 [R=301,L]

Anyone can give example htaccess for subdomain?
Let's say I have whmcs installed on https://my.server.com

Is there htaccess below correct? Assuming I put in in my /public_html/ folder and my.server.com is pointed to server.com/my/

Also, dl.php = downloads.php right?

You have it wrong, it should be:


#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/downloads.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://my.elevatedservers.net/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/downloads.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://my.elevatedservers.net/$1 [R=301,L]

Yep, it works.

This works great but I have a question.

How do I use this code or make changes to it so that it forces my entire site to use https except the downloads, instead of only forcing WHMCS folder?

Please help :?

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


This should be on your public_html folder.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


This should be on your public_html folder.

So add this to the code? I still don't want downloads using https because of the errors it causes.

Okay..

I want the exact same code. BUT, I want to force my entire site to use HTTPS instead of just forcing the WHMCS folder to use HTTPS. I still need the downloads to NOT use HTTPS because this causes errors, which is the whole point of this thread. I just want to force the whole site to use HTTPS, not just the WHMCS folder.

How can I change the code provided by the OP to do this?? :?

Thanks for the info on this it was very helpful to me

How would I rewrite a sub-domain like this.

I changed the directory of my billing script, so I need everything to be re-directed to the new url.

For Example:

I want to redirect secure.nixism.com/blah/blah/etc to my.nixism.com/blah/blah/etc.

How would I do that?

Hello,

I've been reading this thread, very interesting topic, but when I went through my website, checked both admin and client areas, to my surprise everything (I mean everything) was accessed through secure https:// by default, without editing .htaccess file.

Probable reasons might be that:

1. In General settings I entered https:// URL of my website for all three fields - in 'the domain of my main website', in 'WHMCS system URL', and in 'WHMCS SSL system URL'.

2. WHMCS got aware about this topic being discussed and implemented https:// accessed throughout the system in V4 (WHMCS version that I am using at this moment.)

But now after reading this thread, I read about the problems that arise when using 'Downloads' with secure connection. What exact problems/errors that 'Downloads' causing with secure connection? Should I now try to force 'Downloads' to be accessed through http://?

Interesting.

Sincerely,
Serg

But now after reading this thread, I read about the problems that arise when using 'Downloads' with secure connection. What exact problems/errors that 'Downloads' causing with secure connection? Should I now try to force 'Downloads' to be accessed through http://?
- Due to the way the downloads are being sent through PHP, it doesn't work over SSL with mod_rewrite. The downloads I believe either end up corrupted, or it never starts. I forget which one it is. That's corrected though using the code in the first post.

Hello RPS,

So considering that I have no issues to access entire WHMCS folder through secure connection (as I noted in my previous post) without 'Rewrite the URL for WHMCS to always use https,' I assume I only need 'Rewrite the URL for WHMCS dl area to always use http' to force Downloads to be accessed through unsecured http connection? Am I right?

Sincerely,
Serg

I assume I only need 'Rewrite the URL for WHMCS dl area to always use http' to force Downloads to be accessed through unsecured http connection? Am I right?
- Does it work right now? What happens when you try to download something in IE?

RPS,

I haven't tested Downloads yet, and would love to test and see for myself before I proceed with this fix. Because, as with example here, when most of the people in this thread had issues accessing some areas of WHMCS through secure connection, I tested my WHMCS installation (both admin and client areas) and didn't have any area of my WHMCS that was accessed without secure https.

I am in the middle of something right now, so can't allocate time to test Downloads at this moment, but I am very interested about details of issues that Downloads causing over secure connection.

Thank you for your quick response! I'll be back to this thread soon.

Sincerely,
Serg

Matt may have fixed the SSL issue by now. I haven't tested the new version yet.

What happens when you're on the knowledge base area, is it HTTP or HTTPS?

RPS,

Literally every single page is accessed through secure https connection, both admin and client areas. But it wasn't so when I had V3 and when I installed SSL on subdomain, and used root domain for WHMCS license.

Now my site URL is subdomain with SSL installation, and that secure subdomain is redirected to my WHMCS system folder, making it my system folder URL, and it is my WHMCS SSL system URL. And that's what I meant in my initial reply to this thread.

Example: I used 'https://secure.mydomain.com' in every field of General Settings, making it my main domain name, WHMCS system URL, and ofcourse WHMCS SSL system URL. In my cPanel I simply redirected my root domain 'mydomain.com' to 'secure.mydomain.com'. That's it.

Sincerely,
Serg

Please confirm that:

1) Knowledgebase URL is forced to HTTPS - when you go to http://www.domain.com/knowledgebase.php it redirects you to https://www.domain.com/knowledgebase.php
2) Announcements URL is forced to HTTPS - when you go to http://www.domain.com/announcements.php it redirects you to https://www.domain.com/announcements.php
3) You have not edited any .htaccess settings at all, you're basically using a regular version of WHMCS.

RPS,

Ok, I see what you mean. No, it's not redirecting from http to https if URL path with http request is typed manually into browser, but all my WHMCS links are based on and directed through secure https request (on click). Nevertheless, now I see the reason to edit .htaccess file.

Thank you RPS!

Sincerely,
Serg

No worries :)

I just don't want my clients to be able to login on a page that doesn't have a secure browser lock icon. It's not the potential lack of security, it's the fact that the client see's the info is being enter in on a non-secure connection.

Hello,

Maybe I am missing something, but I followed the steps in first post, and tried different ways to edit .htaccess, but I cannot make it work, and no matter what I do my site has no changes whatsoever, it just doesn't changes anything, as if I did not edit .htaccess at all.

Sincerely,
Serg

You should contact the admins of the server and find out why .htaccess isn't working.

Hi RPS,

Ok, I gave it some time, and tried again. Now it's working like a charm. It turned out I was editing wrong .htaccess file. (still learning) :)

Thank you for your help!

I would note though, that it works just as it should, without any issues, but I did not followed all the steps you listed in your initial post. I did not leave blank 'WHMCS SSL system URL'. I don't know what this step actually accomplishes, but let me know if it is important. Other than that it works great!

Sincerely,
Serg

I did not leave blank 'WHMCS SSL system URL'. I don't know what this step actually accomplishes, but let me know if it is important. Other than that it works great!
- I don't remember why that step was involved. Please go through your WHMCS and make sure that everything works. It was probably listed as a step for a very important reason. It's been awhile so I don't remember exactly what that reason was.

RPS,

I did check, and it works fine. Another thing though, is a bout downloads page. I understand that main concern that brought this fix around is non-secure pages that might transmit sensitive information, but what about downloads page? In V4 portal template there's a login fields on the side of every page including downloads page. Now, I still want to try to test downloads over secure connection on different browsers and see how bad it is. Otherwise, login fields would have to be removed from downloads page. I still don't feel comfortable about leaving downloads page non-secure. Besides, I might be wrong, while customer logged in, even on downloads page in V4 there's that customers personal info being transmitted on the side of the page. It might be removed from dl page too, I guess.

And what is the difference between downloads.php and dl.php? I have both in my WHMCS. Which exactly have to be edited in htaccess file? I did downloads.php and it works, but just wondering, since in your initial post you noted about dl.php?

Thank you.

Sincerely,
Serg

I believe the dl.php file is used to serve up the downloads. The downloads.php just displays the available downloads.

If you remove the stuff in the .htaccess regarding the dl.php page, it should send everything with forced encryption, and the download should fail in IE.

I haven't tried this on the latest version, but you can give it a shot and see how it works on your end.

Which exactly have to be edited in htaccess file?
- All you have to do is follow what's in the first post. Don't add/remove anything else, just use it exactly as it appears. Edit the domain name setting, and you should be set.

RPS,

Thank you for clarifying about 'downloads.php' and 'dl.php.'

Concerning IE, I took little time to test it, but unfortunately I still don't understand what's the problem with using downloads (dl.php) over secure connection in IE. I tested downloads on IE 6 & 7, both over secure connection and non-secure (with .htaccess and without, although, with .htaccess IE properties information still stated that dl.php was connected through secure connection??? That's would be another concern :)) But anyway, I tested to download PDF, ZIP, and Exe files, but did not have any issues either over secure connection nor over non-secure connection.

What exactly is the issue with IE, and with which versions exactly? If someone actually experienced problems, please be so kind to reply. Otherwise, what are we talking about here? I knew that "some" people experienced some issues with "downloading in general" while using IE, not just over secure connection, but does it mean that everyone is experiencing these issues? No, because there's always some people who experiences issues where they actually shouldn't experience any, and then they 'blow a whistle' without getting to the bottom of it and finding an actual cause of the problem (I know that from personal experience and self-reflection, I was like that too :)).

Sincerely,
Serg

Here's a way to test it...

1) Use the exact example inside the .htaccess of the OP
2) Using IE6 and IE7, go to the downloads page and download a zip file
3) Now edit the .htaccess and remove the line regarding the downloads, the new .htaccess should look like this:

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

Repeat step 2 and report back.

Yes, Just did what you asked me, but did not have any issues with downloads using IE. Maybe after all it's also about the upgrades, patches, and fixes that I been installing a long time ago. You know a lot of people do not bother themselves with upgrading and installing fixes and patches.

Anyway, I would leave this for later.

But would you mind accessing your site with edited .htaccess (just like in your first post) through IE, go to downloads and click to download file (without actually trying to download it) then click File>Properties and tell me what kind of connection Properties states dl.php is using. I would appreciate it. Because mine according to Properties seems still using secure connection.

Sincerely,
Serg

I don't have the latest version of WHMCS up yet.

Could you set up your install with:

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

and then PM me a link to download a zip file?

Serg,

Thanks for the PM. I verified that the downloads and every other area within WHMCS was forced to use SSL on YOUR installation. Assuming you have not changed anything, and followed directions exactly as I mentioned, then the issue is now resolved.

I verified this in IE 6 and IE 7.

I'd like to get one other person to verify it before I update my first post.

One of my clients runs WHMCS, so I think I'll be able to get him to test it out too.

Thanks for going through it all!

No problem RPS,

Anything I can do to make WHMCS to run smoothly.

By "... issue is now resolved" did you mean the issue is might have been resolved in V4? If yes, then I agree with you, I thought about this issue might have been resolved in V4 to begin with. And that would be great if other V4 users would take little time to test their V4 installations just the way we did, to confirm that it actually an improvement in V4.

To all WHMCS users: If you conducted suggested by RPS (bellow) test in V4 with IE, please let us know your results in this thread. Thank you!Here's a way to test it...

1) Use the exact example inside the .htaccess of the OP
2) Using IE6 and IE7, go to the downloads page and download a zip file
3) Now edit the .htaccess and remove the line regarding the downloads, the new .htaccess should look like this:
RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]
Repeat step 2 and report back.
Sincerely,
Serg

why have the whole of WHMCS as https. as long as the ordering process etc is done under https then everything is OK.

I us an SSL with my WHMCS and have no problems.

why have the whole of WHMCS as https. as long as the ordering process etc is done under https then everything is OK.

I us an SSL with my WHMCS and have no problems.
- See post: http://forum.whmcs.com/showpost.php?p=106232&postcount=102

- See post: http://forum.whmcs.com/showpost.php?p=106232&postcount=102

i use https and a clients signs in they are withn the https area so it is secure.

easyhosting,

I am using V4, and in V4 portal template there are loggin fields on every single page throughout the system (I mean every single page.) And I love it about V4. And It's not secure to transmit loggin information over non-secure connection. Or is it :)?

The other thing, internet security becomes a big issue when it comes to conducting business online, and I would love to build my entire online business to be as secure as possible, and use it as part of my company's image. And when it comes to serious clients, it is so easy to loose them if they suspect that it is not secure to conduct business through not-so-secure-website. If you don't care about that it's up to you.

I use SSL with my WHMCS and have no problems either :) but just want to make it more secure.

How much of security on the internet do you think is enough?

Sincerely,
Serg

easyhosting,

Haha :) I just went to your website, and you have client loggin fields on many non-secure pages. So how is it makes your website secure?

Update: And Actually, I went back and realized that when I clicked on clients and order links, your system does not forces secure connection by default. How about that?

Update: An just a heads up, I counted 11 non-secure pages on your website that would transmit your client's loggin info over non-secure connection!!!

Sincerely,
Serg

easyhosting,

Haha :) I just went to your website, and you have client loggin fields on many non-secure pages. So how is it makes your website secure?

Update: And Actually, I went back and realized that when I clicked on clients and order links, your system does not forces secure connection by default. How about that?

Update: An just a heads up, I counted 11 non-secure pages on your website that would transmit your client's loggin info over non-secure connection!!!

Sincerely,
Serg

You can go to my site https://easyasabc-hosting.com/ and find ALL pages are secure.

easyhosting,

Yes! Awareness raised and appropriate actions are taken. Your website pages weren't secure at the time I checked it though, but if you don't want to admit it, that's fine.

Note: You forced your non WHMCS pages to use secure connection, yet you haven't forced all your WHMCS pages to use secure connection yet, as it is still have non-secure pages with loggin fields.

Update: when I enter your address with http, manually, as that's what most internet users do (they don't type https by default) your website loads over non-secure connection, and after that the links I click they are non-secured. You need to go to the first post, and follow all the steps RPS suggested and then when your clients would simply type your URL without actually typing 'https' your website would force secure connection by default.

And that's the point of this thread!

So, do you still think that it is not important to use all WHMCS system pages over (https) secure connection?

Sicnerely,
Serg

Example: type your URL with 'http' without typing 'https' or without typing http nor https, just your URL, as all browsers use http request by default, and see if your site forces secure connection. If it's not, go to the first post of this thread. :)

Sincerely,
Serg

Serg is right, you should force https for when people visit the http and have to enter confidential info. Client's aren't smart enough to tell the difference.

i use https and a clients signs in they are withn the https area so it is secure.
- Your clients will be able to enter their password on a page that doesn't have the secure lock icon. To me, that's a problem.

You can go to my site https://easyasabc-hosting.com/ and find ALL pages are secure.
- Yes, if the client manually adds the "s" to http, then you are right, it will be secure. However, most of my client's don't even know what HTTPS means. They know they are secure when the browser shows a lock.

Without a lock icon, they believe hackers may be able to steal their information.

So I have followed everything on here, client area/support pages, the lot are protected just fine, but now I'm wondering if its possible to secure the WHMCS admin log in page ?

Is this done by securing the entire WHMCS Dir or can you specify this page alone in the .htaccess file.

Ty,
-Sam.B

Codex,

As long as your secure sub-domain is the same you issued you WHMCS license to, then you don't have to do anything to access admin area through your SSL.

Sincerely,
Serg

Not clear on exact steps of setting up ssl with latest v only.
Thanks

tiameg,

I am not sure what do you mean by setting up SSL with latest version only? You setting up (install) your SSL on your server, where you host your WHMCS, and it has nothing to do with latest or any version of WHMCS. In general settings of you WHMCS you just set SSL URL where it asks and that's it. If your secure domain (to which SSL had been issued) is the same as your actual site domain, like I have, just put SSL URL in each field: SSL URL and Site URL, as I did. And if you want to force entire WHMCS to be connected through secure connection, then read this thread from the beginning, follow all steps, test it and see if it works for you, if it's not you are welcome to come back to this thread and make a post with an actual details and questions.

Sincerely,
Serg

Not clear on exact steps of setting up ssl with latest v only.
Thanks

I am running V4.02. Followed the steps in OP and it works fine.

Couple of observations in IE (Just upgraded to V8, no other to test):
It's interesting that IE bolds the "https" and the domain in the address bar.
Second, The downloads.php page is secured, and the download worked fine. Just hard to tell if the download itself (dl.php) was not, or if IE8 fixed the issue.

8)

easyhosting,

Yes! Awareness raised and appropriate actions are taken. Your website pages weren't secure at the time I checked it though, but if you don't want to admit it, that's fine.

Note: You forced your non WHMCS pages to use secure connection, yet you haven't forced all your WHMCS pages to use secure connection yet, as it is still have non-secure pages with loggin fields.

Update: when I enter your address with http, manually, as that's what most internet users do (they don't type https by default) your website loads over non-secure connection, and after that the links I click they are non-secured. You need to go to the first post, and follow all the steps RPS suggested and then when your clients would simply type your URL without actually typing 'https' your website would force secure connection by default.

And that's the point of this thread!

So, do you still think that it is not important to use all WHMCS system pages over (https) secure connection?

Sicnerely,
Serg

i take offence at this. ALL my site pages are secure

easyhosting,

No need to take offense. You read this thread, you communicated your opinion, then received response from us regarding your opinion; consequently, you took steps in further securing your site. Good luck with your business!

Sincerely,
Serg

easyhosting,

No need to take offense. You read this thread, you communicated your opinion, then received response from us regarding your opinion; consequently, you took steps in further securing your site. Good luck with your business!

Sincerely,
Serg

I did take offence as all my pages etc are secure and have been secure since setting up the website. their was a minor clitch when i changed servers.

I have been ontline trading for over 10 years and if i set a site up that will take customer details then the first thing i do id get a dedicated IP and SSL cert and secure the site.

Im having alot of trouble with this.....newbie to whmcs and never used SSL before...

Setup my cert no problems there it was pretty easy in WHM now just issues using the code in the first post im wondering if this is a problem because im using 4.02

Heres my current .htaccess un-edited and curious should the previous posts not apply to my version?:

RewriteEngine On



# Announcements

RewriteRule ^announcements/([0-9]+)/[a-z0-9_-]+\.html$ ./announcements.php?id=$1 [L,NC]

RewriteRule ^announcements$ ./announcements.php [L,NC]



# Downloads

RewriteRule ^downloads/([0-9]+)/([^/]*)$ ./downloads.php?action=displaycat&catid=$1 [L,NC]

RewriteRule ^downloads$ ./downloads.php [L,NC]



# Knowledgebase

RewriteRule ^knowledgebase/([0-9]+)/[a-z0-9_-]+\.html$ ./knowledgebase.php?action=displayarticle&id=$1 [L,NC]

RewriteRule ^knowledgebase/([0-9]+)/([^/]*)$ ./knowledgebase.php?action=displaycat&catid=$1 [L,NC]

RewriteRule ^knowledgebase$ ./knowledgebase.php [L,NC]

*again* I did have a nice comment which was deleted.........ANYWAYS,

a much shorter version *due to laziness* is, I been having alot of trouble using the code in the first post.

Im using V4.02 -Updated .htaccess code needed perhaps?

SSL Cert installed blah blah

seems to be a much different code that i got to what you guys have listed in previous posts.

*again* I did have a nice comment which was deleted.

Not deleted, auto-moderated. Now approved.

Assuming you therefore have your WHMCS in the 'root' of the sub-domain, I would guess that slight mod to the above should work ...


RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://mysub.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://mysub.domain.com/$1 [R=301,L]


I have a installed a valid SSL . I have the exact code in my .htaccess. However, the page is partially encrypted. The admin section is fully secured. How is it I can't seem to get the all of my whmc pages fully protected. :?

Also a note that I have noticed is that, if someone redirects using cPanel's <redirect> option it get hung in Firefox. Does someone know, how and why it does that? :twisted:

Spread the knowledge

any update would be nice my sites been up 5 minutes and already people are trying to break in

The answer to your first question,I have a installed a valid SSL . I have the exact code in my .htaccess. However, the page is partially encrypted. The admin section is fully secured. How is it I can't seem to get the all of my whmc pages fully protected. :?is most likely because of your WHMCS images not being secured. If you have integrated it other images may be implicated. Check the image URLs use https.

Please ignore post #137 above. It was posted in error. :oops:

The answer to your first question,is most likely because of your WHMCS images not being secured. If you have integrated it other images may be implicated. Check the image URLs use https.

That could be, I use some images from a different site to feed my whmcs layout, but maybe i should copy them over and change the css. :shock:

I will try that later. I'll let update yeah.

That's primarily why you should use full urls in your designs, just link like this:


<img src="my/image/folders/image.png" alt="image" />


That way everything will work fine even if you change urls, or want to use the server while your DNS is propagating (ie. instead of domain.com/image.png, you'd want IP.XX.XX.XXX/image.png).

That's primarily why you should use full urls in your designs, just link like this:


<img src="my/image/folders/image.png" alt="image" />


That way everything will work fine even if you change urls, or want to use the server while your DNS is propagating (ie. instead of domain.com/image.png, you'd want IP.XX.XX.XXX/image.png).

That isn't a "full URL", that's a document relative URL. There are three basic types of addressing.

Document relative (starts with the file it's called from and traverses directories from there: (.file.gif or ./file.gif or file.gif or ../file.gif or ../directory/file.gif)

Root relative, which starts from the lowest point in the heirarchy, the document root: (/file.gif or /directory/file.gif)

Absolute (or "full") URL, which goes out to the web server to start looking. It's this that often breaks SSL when the coder forgets to make this httpS: https://example.com/file.gif or https://example.com/directory/file.gif

Sorry, I meant to write "you shouldn't" :> Can't edit the post, its too late :o

The above mentioned solution works only if WHMCS is installed under sub directory i.e. www.xyz.com/members, what if the installtion is under the main domain name i.e. www.xyz.com, what can be done ?

The above mentioned solution works only if WHMCS is installed under sub directory i.e. www.xyz.com/members, what if the installtion is under the main domain name i.e. www.xyz.com, what can be done ?

The above mentioned solution works only if WHMCS is installed under sub directory i.e. www.xyz.com/members, what if the installtion is under the main domain name i.e. www.xyz.com, what can be done ?

You just need to specify the correct folders, if the whmcs is installed under the root directory than all you need to do is edit the image location. The solution below will work if your image location is http://www.xyz.com/images/image.png:
<img src="images/image.png" alt="image" />

I just want to add to this thread with something I just encountered. We were having problems similar to what you were experiencing. The links were being forced from http to https and the pages were erring out.

Scenerio: Our SSL certificate is set to www.domain.com which in essence matches our website. Our website uses Joomla. The WHMCS program is installed as a subdirectory under our website's directory (www.domain.com/whmcs/). Joomla has its own .htaccess file. WHMCS has its own .htaccess file if you choose to use it for SEF purposes. We set the domain in the WHMCS general settings to be:

WHMCS System URL: http://www.domain.com/whmcs/
WHMCS SSL System URL: https://www.domain.com/whmcs/

When you clicked on a link the page would err out.

After spending hours checking the server for why this wasn't working correctly, this is what we found out.

First, because Joomla has its own .htaccess file which controls the entire domain/website, it was controlling the URL that any subdirectory would be using (including any .htaccess file that WHMCS was using). Furthermore, we had the configuration setting in Joomla set to "domain.com" not "www.domain.com." This was causing a mismatch for the settings in the WHMCS program. Basically, forcing any www.domain.com to domain.com which would then be forced back by WHMCS from domain.com back to www.domain.com. An endless loop.

Second, we found that we could force the entire WHMCS site to be secure by adding the "s" to all of the "http:" in the General Settings.

Additionally, if you have to make your downloads.php area not secure for it to work for downloads, it should work if you edit the template for the downloads links to hard-code the URLs as http://www.domain.com/whmcs/download.php, thus bypassing the SSL certificate.

I hope this provides additional help for some.

Best wishes,
Rae

Im using ver 4.02 and also encountered the same problem. When i enabled the SSL site on the general settings, most of the images on my client portal cannot be displayed. When using firefox the nav links doubled (IE and Chrome no problem ). I already checked the links on the template and im sure theyre all root relative links. I host images at the same folder (default)

view site
https://www.nsmonster.com/clientportal/whmcs/clientarea.php

Any suggestion? Ive also tried altering .htaccess file but it didnt work.

view site
https://www.nsmonster.com/clientportal/whmcs/clientarea.php

Any suggestion? Ive also tried altering .htaccess file but it didnt work.

I don't see any problems there... or maybe you figured it out already?

A quick question, my site is totally built around WHMCS, I'm just in the process of obtaining a SSL cert for the site,

as I only want to protect certain areas of WHMCS, eg,register, purchases, login etc, as you can imagine I don't require my custom template pages to be protected, so does WHMCS automatically decide which parts need to be https and which parts need to be http, or do I need to fiddle with the htaccess file? iI'm currently using a htaccess redirect for seo purposes so that all http://site traffic is directed to http://www.site


cheers

Hello annomander,

If your custom pages do not transmit sensitive customer information over the internet, I believe you are good. WHMCS does forces secure (https) connection by default on registration page, shopping cart, and loggin page. The only reason this thread was started is because of mainly loggin fields on other unsecured pages and other forms that might transmit sensitive information on pages other than registration, shopping cart, and client loggin pages.

Besides that, in my personal case, as I set my website to force entire website over secure (https) connection, I began to like the idea of showing my customers that my website is secure. As every page of my website is transmitted over secure https connection, my customers are able to see and verify my SSL certificate at any time, while browsing any page of my website. It might not be that important to force entire website over https connection, but I believe that in times when online security is a big concern to online consumers, it is one of the steps that I made, small but none the less reassuring one. Also, besides forcing entire website over https connection, I hosted entire website under subdomain https://secure.mydomain.com, so no matter on which page my customers are they always see https://secure...

Sincerely,

Serg

Thank you for your reply. It is a good marketing angle, I think the only downside is extra processing for https connections, but I presume that not a issue for your server.

Thanks ago for the reassurence on the ssl issue.

Hello annomander,

If your custom pages do not transmit sensitive customer information over the internet, I believe you are good. WHMCS does forces secure (https) connection by default on registration page, shopping cart, and loggin page. The only reason this thread was started is because of mainly loggin fields on other unsecured pages and other forms that might transmit sensitive information on pages other than registration, shopping cart, and client loggin pages.

Besides that, in my personal case, as I set my website to force entire website over secure (https) connection, I began to like the idea of showing my customers that my website is secure. As every page of my website is transmitted over secure https connection, my customers are able to see and verify my SSL certificate at any time, while browsing any page of my website. It might not be that important to force entire website over https connection, but I believe that in times when online security is a big concern to online consumers, it is one of the steps that I made, small but none the less reassuring one. Also, besides forcing entire website over https connection, I hosted entire website under subdomain https://secure.mydomain.com, so no matter on which page my customers are they always see https://secure...

Sincerely,

Serg

I agree, by making your whole site secure over https it gives all your customers piece of mind and shows that you take their security seriously

I've installed the ssl and yes, whmcs automatically puts you into secure mode if you visit

Login
Register
Contact
and
domain checker

To get out of https, I need to visit, home, knowledgebase or downloads

The problem is, unless you go to these first, my other pages stop with https


Now, the above few posts (hi), recommend that this is actually no big deal.

Should I change it so that it exits on my template pages aswell, or leave it?

Cheers.

This script worked great right out the gate! An easy and quick way to run your WHMCS all in SSL, all but the Knowledgebase and Download area that is! I hope no other browsers will have issues running in SSL. Time will tell, so will our 404 error logs. Thanks for the script!

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

How would i do this if WHMCS is installed on a subdomain and my website on main domain?

does anyone know how i can use this if whmcs is on a subdomain and main site on main domain?

Just remove whmcs in /whmcs/ and /whmcs/dl.php and paste the .htaccess in the WHMCS dir.

I have my WHMCS on a subdomain and cannot get this to work.

I have added this into an .htaccess file to no avail. It gets stuck redirecting. It appears that WITH or WITHOUT an .htaccess file, that the WHMCS 4.1.1 system has a mind of its own and converts the https:// to http:// on its own on the root folder (of course, unless someone select a page that requires https:// )

Anyone find similar results or am I just in left field here?

I have the same issue,

my whmcs site is hosted at

secure.domain.com

and I need apache to redirect to

https://secure.domain.com

in-case the user has not typed the https prefix in the address bar.

Right now I'm getting a re-direct loop error.

Any help would be appreciated.

Is there non who can tell me (and others) how this can be done with a sub domain...?

Sorry, I don't have a way to test it, try this code for the sub domain:

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://sub.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://sub.domain.com/$1 [R=301,L]

I just set System URL and SSL URL both to

https://subdomain.domain.com

And it never leaves SSL in the first place.

With the current way WHMCS handles SSL, your clients can log in on pages that are not via SSL. There are also other areas that WHMCS forces to use http instead of https (I believe the announcements and knowledgebase are both without https).

You can use .htaccess to force everything to happen via https, however, file downloads will NOT work if this is the case.

When you try to download a file using rewrite rules that forces your URL to be https, IE has an issue with downloading files (in this case, the downloads page).

Open 'Configuration' -> 'General Configuration'
Set WHMCS System URL to https://www.domain.com/whmcs/ (note the s within https)
Set WHMCS SSL System URL to empty

The follow code (which you should place inside your .htaccess file), will force all requests to the WHMCS folder to be done via https, unless it is the whmcs/dl.php file.

The code after, will force the whmcs/dl.php to redirect from https to http.

RewriteEngine on
Options +FollowSymlinks

#Rewrite the URL for WHMCS to always use https except for the whmcs/dl.php file
RewriteCond %{REQUEST_URI} !^/whmcs/dl.php [NC]
RewriteCond %{REQUEST_URI} ^/whmcs/ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

#Rewrite the URL for WHMCS dl area to always use http
RewriteCond %{REQUEST_URI} ^/whmcs/dl.php [NC]
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

This worked perfectly...I cannot explain how satisfied and grateful I am that you have put this here. I was getting partial errors in chrome and IE, but not firefox or safari and this tweak to the .htaccess worked great. I followed your instructions exactly. Many many thanks!