Force SSL on all of WHMCS (Admin, Client)

**erikandre** · 08-13-10, 12:28 PM

Why is it that I have SSL enabled in my settings and each time I log into my admin section that the SSL is not enforced? It enforces in the client section only when they need to do something secure, but never anywhere else.

Shouldn't there be an option to force SSL *everywhere* on WHMCS regardless of where the client is? I want my clients and my admins to have SSL even if they forget to put it but can't see what else I need to do. If I add a custom htaccess file, the client end loops to nowhere because I guess the WHMCS code already has a redirect taking them *away* from the SSL since the page doesn't need it which becomes an endless loop.

I really want a single option that allows the option to force https:// on the entire WHMCS installation (admin, client, everywhere) so clients can be assured they are on a secure certificate before they get to the secure page AND that the admin pages can be forced as well.

If this is possible, please tell me what I can do to make it work.

**laszlof** · 08-13-10, 01:24 PM

Set both the WHMCS System URL and WHMCS SSL System URL to your https URL. Then add the following to your .htaccess:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

**erikandre** · 08-13-10, 10:15 PM

Originally Posted by laszlof

Set both the WHMCS System URL and WHMCS SSL System URL to your https URL. Then add the following to your .htaccess:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

That did it. Big thanks.

**theben** · 08-30-10, 02:33 PM

Please can you provide the trick also for IIS 7?
Thanks a lot!

**SistemasyServicios** · 08-30-10, 03:22 PM

Originally Posted by theben

Please can you provide the trick also for IIS 7?
Thanks a lot!

For this guide to work you'll need;

* IIS 7 installed
* Microsoft URL Rewrite Module installed
* Create HTTPS bindings to your IIS website and assign certificate
* Ensure Require SSL is NOT checked under SSL Settings for your website

Once you have this done you can simply copy and paste the following code between the <rules> and </rules> tags in your your web.config file in your website root directory.

Code:

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

From here all you have to do is save your web.config file and test that the redirection is working.

Hopefully this guide has helped you to enabled HTTP to HTTPS redirection for your website on IIS 7 using the Microsoft URL Rewrite Module.

Regards,

**MikeDVB** · 10-07-10, 09:37 PM

I set both URLs in WHMCS to use https:// and used this:

Code:

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/support/dl.php [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} ^/support/dl.php [NC]
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Obviously you would replace /support/ with whatever your WHMCS folder is called such as /clients/

**webjive** · 05-19-11, 04:35 PM

This worked great!

Thanks

**rwvpn** · 05-24-11, 08:13 PM

I also use this this command in my apache
/etc/apache2/sites-available/default
to make it so that you can only connect to the admin site from certain IP addresses. To add more just add them on the same line with a space.

<Directory /var/www/portal/admin/>
order deny,allow
deny from all
allow from 192.168.1.1
</Directory>

**MikeDVB** · 05-24-11, 08:17 PM

You can do the same thing, in most cases, by putting it in your .htaccess as well inside of your admin directory. Many people running WHMCS may not have access to the httpd.conf

order deny,allow
deny form all
allow from ip.add.ress.here

**paperweight** · 10-11-11, 04:01 AM

Ok, I seem to be doing this halfway correctly, so please let me know what you think. I am using all this in my .htaccess, and I'm unsure if it's overkill or will create problems later:

Code:

# This rewrites URLs to force https on all requests to whmcs
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/dl.php [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} ^/dl.php [NC]
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ $1 [R,L]

The first 3 sections are a combination of what you wrote above on this thread. The 4th section is what I added, and it comes from a WordPress blog htaccess section that I also use SSL on -- this seems to more accurately force the https on the URLs.

Does the above seem correct?

Community Forums

Thread: Force SSL on all of WHMCS (Admin, Client)

Thread Tools

Force SSL on all of WHMCS (Admin, Client)

And for IIS 7?

Forcing WHMCS to use SSL on all pages

Similar Threads

Force Admin Area SSL