How to enable SSL certificate or HTTPS for vBulletin and remove the mixed content warnings for the thread pages in vBulletin 3x or 4x
If a site is not on HTTPS, Chrome version 56+ will mark it as “not secure” for password and other sensitive information fields. In vBulletin 3.x and 4.x, using HTTPS is not out of the box.
Let’s make the vBulletin vBulletin 3.x and vBulletin 4.x over to HTTPS in 5 simple steps.
1. Install SSL Certificate for the domain
First, we need to install the SSL certificate for the domain. You can purchase an SSL and install it or can use Let’s Encrypt’s Free SSL provided your hosts offer it.
Once the SSL is installed for the domain, you should browse the forum of HTTPS. It shouldn’t throw a complete SSL warning but some part of the forum will load whereas others won’t.
2. Change Forum URL
Now login to the Admin CP and under vBulletin Options, we have Site Name / URL / Contact Details under which there is an option to set Forum URL. If it is http://yourdomain make it https://yourdomain
3. Change StyleVars
In vBulletin 3.x, unless you have changed to absolute image URLs, it is completely ok to skip this step.
Check under Styles & Templates > Style Manager > For your style from the drop-down edit Stylevars.
Make sure Image Paths for the vBulletin are either relative to the forum root or if they have an absolute path, it is HTTPS and not HTTP
In vBulletin 4.x typically the logo URL is often an absolute URL with HTTP instead of HTTPS. Ideally, it should not be the case.
Still, under Style Styles & Templates, for “Style Variables” check for the title image to make sure the path is either relative to the forum root or if they have an absolute path, it is https and not HTTP
4. Search vBulletin Templates for any HTTP://
Ideally, if your templates aren’t modified you can skip this step. However, if you have Google Analytics code or other Ad embeds for the HTTP domain, you need to replace them to be on the HTTPS domain.
Under Styles & Templates, there is an option to Search in Templates. Use the search to find any occurrence of HTTP URLs instead of HTTPS for images, CSS, or scripts and replace them with HTTPS.
5. Route Images Via Image Proxy Script
We have the design which includes CSS and JS and images change fairly easily. However, the issue will be for user content where images are embedded from other non-HTTPS based sites.
The solution is in two parts.
Part 1: Proxy PHP Script for Images
Here is a sample PHP proxy code using curl that can be used in vBulletin to route image embed URLs in posts through the proxy.
| <?php | |
| $salt = 'XXXX'; //Salt that was used to send hash param | |
| $url = urldecode($_REQUEST['u']); // URL encoded parameter | |
| if (!$url) die('Invalid Request.'); | |
| // We check hash to keep hackers out. | |
| $hash = md5($salt.$url.$salt); | |
| if ($_REQUEST['h'] != $hash) die('Invalid Request.'); | |
| //Start the Curl session | |
| $session = curl_init($url); | |
| curl_setopt($session, CURLOPT_HEADER, true); | |
| curl_setopt($session, CURLOPT_FOLLOWLOCATION, true); | |
| curl_setopt($session, CURLOPT_TIMEOUT, 3); | |
| curl_setopt($session, CURLOPT_RETURNTRANSFER, true); | |
| $response = curl_exec($session); | |
| list( $header, $contents ) = preg_split( '/([\r\n][\r\n])\\1/', curl_exec( $session ), 2 ); | |
| // Split header text into an array. | |
| $header_text = preg_split( '/[\r\n]+/', $header ); | |
| // Cache for 10 days | |
| header("Cache-Control: public, max-age=864000"); | |
| header("Pragma: public"); | |
| header('Expires: '. gmdate('D, d M Y H:i:s \G\M\T', time() + 864000)); | |
| // Propagate headers to response. | |
| foreach ( $header_text as $header ) { | |
| if ( preg_match( '/^(?:Content-Type|Content-Language|Set-Cookie):/i', $header ) ) { | |
| header( $header ); | |
| } | |
| } | |
| echo $contents; | |
| curl_close($session); | |
| exit; |
Create a PHP file and name it imgproxy.php in the root of the domain.
Part 2: Route IMG Tag to use Proxy for non-secure Images
For nonsecure IMG URLs, override the final url of the image to route through the above proxy. Make sure you are using the same secure salt and hashing to avoid any hacking attempts with the proxy.
In the Admin CP > Plugins & Products > Add New Plugin
Select the Hook Location as bbcode_img_match and Title as HTTPS for vBulletin add the following code in the Plugin PHP Code
| <?php | |
| //* Do NOT include the opening php tag above. Copy the code shown below. | |
| $urlbits = parse_url($link); | |
| $salt = 'XXXX'; | |
| if ($urlbits['scheme']!='https') | |
| $link = '/imgproxy.php?u='.urlencode($link).'&h='.md5($salt.$link.$salt); | |
| $retval = ($fullsize ? '<div class="size_fullsize">' : '') . '<img src="' . $link . '" border="0" alt="" />' . ($fullsize ? '</div>' : ''); |
And make sure you have selected the plugin is active to Yes.
The above code assumes that you have uploaded the image proxy file to the server and named it as imgproxy.php in the root of the domain.
6. Check Other Paths
In some vBulletin forums, the smiley paths or avatar (Custom or built-in) paths are absolute paths. So when that user has a post in a thread, it may throw a mixed content warning. Make sure to check those paths for either relative URLs or have HTTPS-based URLs.
7. Finally, Redirect HTTP to HTTPS
The vBulletin forum is now available on HTTP url as well as HTTPS url. It is good practice to redirect the HTTP version of the site to HTTPS using htaccess. Here is the simple code one can add right at the top of the htaccess file.
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L] | |
| </IfModule> |
