search

danielbrendel / hortusfox-web

Self-hosted collaborative plant management system for your local environment
https://www.hortusfox.com
MIT License
606 stars 33 forks source link

Wrong protocol when used behind a proxy #62

Closed InputObject2 closed 8 months ago

InputObject2 commented 8 months ago

I'm trying to host this behind a proxy that does SSL termination. The hortusfox-web server itself is serving in http.

The first page loads fine but the html seems to want to load all the other pages over http and the referenced resources don't load.

Some sample errors:

Mixed Content: The page at 'https://plants.example.com/auth' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://plants.example.com/login'. This endpoint should be made available over a secure connection
Mixed Content: The page at 'https://plants.example.com/auth' was loaded over HTTPS, but requested an insecure script 'http://plants.example.com/js/app.js?v=1704592260'. This request has been blocked; the content must be served over HTTPS.

It seems like we're not using the user's protocol (https) but the server protocol (http) to generate the links:

<html>
<body>
<!--StartFragment-->
<title></title>
--
  |  
  | <link rel="icon" type="image/png" href="http://plants.example.com/logo.png"/>
  | <link rel="stylesheet" type="text/css" href="http://plants.example.com/css/bulma.css"/>
  |  
  | <script src="http://plants.example.com/js/vue.min.js"></script>
  | <script src="http://plants.example.com/js/fontawesome.js"></script>

<!--EndFragment-->
</body>
</html>

Normally this would be handled by trusting the proxy and using the X-FORWARDED-PROTO header to determine what protocol to use for the URLs.

Are there environment variables that I should give to the hortusfox-web app to make use of this?

danielbrendel commented 8 months ago

There is currently no way to influence the protocol detection via the inbuilt env variables. The framework determines the used protocol via checking $_SERVER['HTTPS'].

While not part of the current framework version, this can be achieved by checking the header for HTTP_X_FORWARDED_PROTO and then set the HTTPS header value accordingly via the public/index.php:

if ((isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) && ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')) {
    $_SERVER['HTTPS'] = 'on';
}

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

This should work in the end. If you want we can put the implementation of this in a separate branch and you could test it? Or you might want to modify your index.php testwise and post the result. It's just important that the above code would be placed before the following line:

//Include the framework bootstrap script in order to process the application
require_once __DIR__ . '/../vendor/danielbrendel/asatru-php-framework/src/bootstrap.php';
InputObject2 commented 8 months ago

Hey thanks for the quick answer! That actually works great, I'll PR it in a bit since I already have it in.