So, finally started the fun of getting our site switched over to https. Forum is working, most of the rest of the site is getting the sacred padlock.

But the forum does have ONE image that is mysteriously showing up as not cooperating.

An image with an insecure url of "http://www.subsim.com/radioroom/images/icons/icon1.png" was loaded on line: 742 of https://www.subsim.com/radioroom/index.php.

Ok, so it sound like maybe that one icon was hardcoded into a template or php file somewhere, god only knows why. I have searched all the templates for icon1.png and http://www.subsim.com.... nothing!

I've checked the Styles CSS and MainVar section... nada!

I've dug through the php files. Cannot find it.

So, the friendly folks at vBulletin suggested using a 301 redirect and that will work, but now I want clean up as much as I can, and I gots to know, just where can I find where vBull sets the "thread icons" ?>?

Edit: Wayne+Omnibus pointed me in the right direction, vBulletin Options/Thread Display Options

Tip: create a style replacement variable in your styles to replace http://www.subsim.com with https://www.subsim.com

Thanks, Dave. Yes, we did that. It was that one remaining default icon setting, I could swear I went through all the VB settings, I don't know how I missed that one, it was pretty obvious.

Thanks, Dave. Yes, we did that. It was that one remaining default icon setting, I could swear I went through all the VB settings, I don't know how I missed that one, it was pretty obvious.

Like Wayne said in the other forum it's easy to miss. vB3.x wasn't exactly laid out with ease of use in mind. :)

In that case, add this to your headers

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

More info: CSP: upgrade-insecure-requests - HTTP | MDN (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests)

To sum it up, if a asset can be served via SSL (https) and isn't, then adding this tag will force it to be served via SSL.

In that case, add this to your headers

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

More info: CSP: upgrade-insecure-requests - HTTP | MDN (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests)

To sum it up, if a asset can be served via SSL (https) and isn't, then adding this tag will force it to be served via SSL.

Ok, kaoss, I'm on it!

Like Wayne said in the other forum it's easy to miss. vB3.x wasn't exactly laid out with ease of use in mind. :)

First let me thank you again! So nice to help.

I'm still shaking my head :p My first thought was to check the style templates with a search. Then we checked the StyleVars and CSS. Then I went through the various vBulletin Options, one at a time, looking for anything related to that icon, or anything with an http:// prefix. I must have skipped that one, and never looked back. I spent several hours checking php files, wow, it was so easy but I missed it!

So, finally started the fun of getting our site switched over to https.

Hi Panzer Max, would you mind briefly explaining the steps to switch a vBulletin site to https ?

1. Buy SSL Cert
2. Install on server.
3. Setup apache/nginx whatever your running to serve the site in SSL & force a 301 to https
4. Change forum URL to https in the admincp
5. Fix any issues related to images etc by using to dev console in your browser, which could be smilies, post icons etc.

Hi Panzer Max, would you mind briefly explaining the steps to switch a vBulletin site to https ?

Hi Kevin, in our case, our data center manager called and said he had to upgrade our php to a higher version for security. Not being sure our 3.8 forum would actually work on newer versions of php, we had been hanging on to an outdated version to keep 3.8 running. We don't know if there were compatibility errors with vB, but he said he went through the whole site and fixed a few php errors.

At some point in the php upgrade he installed the SSL certificates through cPanel.

This explains the nginx change (https://www.keycdn.com/support/how-to-redirect-http-to-https)snakes is referring to. I did not make this change, I assume the DC tech did this in conjunction with the SSL certificates, but I will need to confirm.

Our admin changed the htaccess file to force the redirect to https (https://lithiumhosting.com/billing/knowledgebase/253/How-to-force-HTTPS-using-your-htaccess-file.html)

Then I got the job of searching the templates for http://www.oursite.com and changing to https://www.oursite.com
I also checked all the php pages in the vB folders for any mention of http

Last, we have a team who have been going through all 1800 html and php pages on site to find and replace http://www.oursite.com with https://www.oursite.com

Then some spot checking with https://www.whynopadlock.com/

Hi snakes1100 and Panzer Max, thanks for the advice and sorry about the late response, juggling too many things at the moment :(