I have a website that has in the homepage a forums (created with Xenforo). I have recently put HTTPS with Let's encrypt (I have enabled it server-side with cPanel). The website worked fine with HTTP.
Now that I have HTTPS I am having issues because some people can access the website as always but others cannot. The ones who can't open my website have to use a proxy and then the website loads.
This error has started happening after I have edited a line in my .htaccess file:
# Mod_security can interfere with uploading of content such as attachments. If you
# cannot attach files, remove the "#" from the lines below.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default
<IfModule mod_rewrite.c>
RewriteEngine On
# I HAVE ADDED THESE 2 NEW LINES
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://forums.example.com/$1 [R,L]
# If you are having problems with the rewrite rules, remove the "#" from the
# line that begins "RewriteBase" below. You will also have to change the path
# of the rewrite to reflect the path to your XenForo installation.
#RewriteBase /xenforo
# This line may be needed to enable WebDAV editing with PHP as a CGI.
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
RewriteRule ^.*$ /index.php [NC,L]
</IfModule>
I have added these 2 lines:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://forums.example.com/$1 [R,L]
And now I have this weird issue: some people can access my website, others cannot and they have to use a proxy!
I have added those rules because I need to redirect all http to https so http://forums.example.com/ must become https://forums.example.com/. I have never had this issue before. Any idea?
What's the specific error message that these people are getting?
When I was building Greenlock I encountered a similar problem and it turned out to be that that certificate was not being loaded correctly, so I'm assuming that this is a TLS "privacy error" from the browsers, not a DNS or HTTP issue.
I'm not familiar with cPanel, but I am very familiar with the ACME standard and clients.
Greenlock, certbot, and many other Let's Encrypt clients use a convention of naming the certificate files like this:
privkey.pemcert.pemchain.pemfullchain.pem (cert.pem + chain.pem)Some also have bundle.pem (fullchain.pem + privkey.pem).
Many web servers call for CRT and KEY in their documentation. Intuitively you might think that CRT would be cert.pem and KEY is privkey.pem.
This is usually incorrect.
If your site is configured to use cert.pem as the CRT instead of fullchain.pem you will have the issue you describe.
The reason is that anyone who has visited any site that properly uses the same intermediate authority as you will see the page as intended - the necessary chain.pem will already exist in the browser's cache.
However, anyone with a browser that doesn't have that missing piece already in a cache will get a security error.
It depends on the type of "proxy" - because that can mean different things to different people.
My guess is that the proxy is being used for more sites than the person's browser is (particularly a lot of small hobbyist sites that are using that same chain) and perhaps the proxy is actually downloading the site, decrypting it, and then relaying it, or perhaps the proxy is somehow supplementing the certificate chain with its own cache.
Your problem may be completely different from the problem that I've had. It may be coincidence that the symptoms sound so similar.
I don't want to lead you down a rabbit hole that won't get you anywhere, but I think that checking your settings to make sure that you're using fullchain.pem and not cert.pem is an important first step.
The issue with the redirects sounds coincidental to me. I doubt it's related.
Most likely once your site forced https, more visitors with the browsers that didn't have Let's Encrypt intermediate certificates in their caches suddenly started to notice the problem because they were now affected.
However, if you can back out those changes and confirm that HTTPS (SSL-enabled) works for those users, then I'd suggest that instead of doing redirects that you try adding headers that will do the same: