search

SteveLTN / https-portal

A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
MIT License
4.42k stars 296 forks source link

ERR_TOO_MANY_REDIRECTS or mixed insecure content with wordpress #269

Closed nwesthoff closed 3 years ago

nwesthoff commented 3 years ago

Hey!

I've used https-portal extensively to host all sorts of applications, successfully. But I'm getting really stuck hosting a simple wordpress site... I don't think I'm doing anything out of the ordinary, this is my compose file:

version: "3"

services:
  https-portal:
    container_name: https-portal
    image: steveltn/https-portal:1.8
    restart: unless-stopped
    links:
      - wordpress
    ports:
      - 80:80
      - 443:443
    environment:
      DOMAINS: 'subdomain.domain.com -> http://wordpress:80'
      # STAGE: "production"

  db:
    image: mariadb
    container_name: db
    restart: unless-stopped
    env_file: .env
    environment:
      - MYSQL_ROOT_PASSWORD:${MYSQL_ROOT_PASSWORD}
      - MYSQL_DATABASE=wordpress
    volumes:
      - dbdata:/var/lib/mysql

  wordpress:
    depends_on:
      - db
    links:
      - db:mysql
    image: wordpress:latest
    container_name: wordpress
    restart: unless-stopped
    env_file: .env
    environment:
      - WORDPRESS_DB_HOST:db:3306
      - WORDPRESS_DB_USER:${MYSQL_USER}
      - WORDPRESS_DB_PASSWORD:${MYSQL_PASSWORD}
      - WORDPRESS_DB_NAME:wordpress
    volumes:
      - /var/www/app:/var/www/html

volumes:
  dbdata:

Initially I got an ERR_TOO_MANY_REDIRECTS. Where the wordpress container would tell me it's 301 redirecting in a loop. So I added the following section to wp-config.php, as per https://github.com/docker-library/wordpress/issues/412: 

/**
 * Handle SSL reverse proxy
 */
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS']='on';

if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}

I can now reach my site through the domain, but now I'm getting mixed content issues:

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
8Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure script '<URL>'. This request has been blocked; the content must be served over HTTPS.
(index):1 Mixed Content: The page at 'https://subdomain.domain.com/' was loaded over HTTPS, but requested an insecure image 'http://subdomain.domain.com/wp-content/themes/app/static/img/logo-mark.svg?0.0.8'. This request has been blocked; the content must be served over HTTPS.
(index):1 Mixed Content: The page at 'https://subdomain.domain.com/' was loaded over HTTPS, but requested an insecure image 'http://subdomain.domain.com/wp-content/themes/app/static/img/logo-payoff.svg'. This request has been blocked; the content must be served over HTTPS.

The 'fix' already feels unnecessary since wordpress seems to be a supported use-case. But it's not having it... Got a clue?

SteveLTN commented 3 years ago

Hi!

First of all, your HTTPS-PORTAL version (1.8) seems really old. Please update to the latest 1.17.

But I believe this isn't the real issue here. From my limited experience of WordPress, it is aware whether it's under https or http. If you set up a Wordpress in HTTP, then migrate it to HTTPS, it will try to perform redirection.

Did you try to start a WP app fresh? It your app isn't fresh, you probably need to change some settings in wp-config.

Maybe in the older versions of HTTPS-PORTAL, HTTP_X_FORWARDED_HOST wasn't properly set. Anyway, updating to latest might be a good idea.

nwesthoff commented 3 years ago

Thanks for the quick response! I used duplicator to restore, which also replaces the old url, and used https:// in the url to replace. But I don't think that's it, since I'm getting mixed content messages even on a clean Wordpress installation.

I think Wordpress:latest runs php with apache, I suspect that might cause a conflict? Though I can't ground that.

SteveLTN commented 3 years ago

I did some digging and managed to recreate this issue. According to wordpress' document, it will recognize X-Forwarded-Proto request header. However it doesn't appear to be the case. I made sure that HTTPS-PORTAL is adding this header to the request, however the Wordpress image isn't changing the assets/redirection paths to https. I am pretty sure it used to work. You probably want to talk to them.

nwesthoff commented 3 years ago

As it usually turns out, I was too lazy to read. I had added this section at the end of wp-config:

/**
 * Handle SSL reverse proxy
 */
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS']='on';

if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}

Removing the first if statement, and moving this section to the top of wp-config worked! Thanks a lot for your help Steve šŸ™šŸ»