Problems with SSL

[realG]

Hi, I'm having issues getting SSL to play nicely with e107. If I enable SSL in the preferences, set my site url as https://mysite.com and turn on redirects, I get a Redirect Loop error.

I've tried leaving these settings alone and just forcing SSL through rewrite rules in .htaccess, and this seems to work ok, but I lose the ability to change any settings through the admin panel for some bizarre reason. By this I mean that I can navigate around the website and admin panel, all in glorious https, but if I change any setting and hit save, the UI refreshes and no changes occur. Nothing gets logged in the admin log, no errors in any server logs.

Has anyone encountered anything similar, any thoughts on what's going on?

I'm reasonably sure that my server and vhosts config is ok, since I'm running a few other CMS systems in forced SSL mode without any issues.

For completeness sake, this is a completely fresh install of the latest source pulled from github yesterday, no changes to default settings, no extra plugins, no caching, etc. Running on Apache/2.2.15 (Red Hat), PHP 5.4.40, MySQL 5.5.45.

[tgtje]

Comment : Used ssl a long time ago, but always used a single / for site url and redirection off ( had no issues) ( / how strange in this case.... would stand for ht_p and NOT for ht_pS) Try.. (htaccess not used as redirector).

[realG]

I have tried just turning SSL on in the preferences, and leaving site url default (/) and redirection off, but that also results in a Redirect Loop.

The only documentation about SSL use with e107 seems to be on the old v0.7 wiki, and that suggests to manually set site url to https://mysite.com and turn on redirection when turning on SSL in the preferences... I'm not sure whether that's still the recommended practice with v2.0.

[Moc]

Interesting one. Not sure. I've assigned Cameron to this issue, hoping that he knows something about it :)

[tgtje]

Just changed host : ssl avalaible so testing Ssl through Dir-Admin set

On site settings: V 2 latest updates site url > / (bottom line displays https://domain) redirection > enabled

Security setting > ssl enabled.

Next things i had to do (so certificate is working correct) change some http (hardcoded url's) like fonts call etc.. to eliminate. Waited some minutes, deleted cache (+ cookies browser) > working fine url's point (also inside system where visible) to https.

Only some little things remain: when clicking top bar (main menu hovering mouse point https) not all links display the 'ssl-lock' icon.. reason ?? test result :

[CaMer0n]

@tgtje I found some ssl code in class2.php added by someone. Try commenting it out and see if that helps. ie. Line 513 - 526

[tgtje]

@CaMer0n did the test (if i comment out... the sec lock (+ssl) is disabled for all) Site reporting > not private.. so it is necessary to use !.

The 2 remaining present issues (no lock, but still https url) needs more investigating. I presume due the content, there could be a http in use (now knowing that any hardcoded url for http can have an effect).

[tgtje]

Just confirmation : the padlock not displaying is due to insecure http links ( on pages it are the 'stills' for YT movies), they come from outside but ssl check reports them. (deleting movie for test > padlock appears).

So it's up to @realG tot test further.

[CaMer0n]

@realG Please update and try again. Also you can enable debug in e107_config.php using: define('e_DEBUG', true);

[realG]

Thanks for all your comments and suggestions, sorry I did not respond sooner. I've updated to 2.1 so I'll do some more testing on this and get back to you

[realG]

Strange, I'm still seeing the redirect loop when I enable ssl through e107's site admin. This is on the latest git master as of today 24th March.

I'm testing this on red hat's Openshift hosting, which seems to offer decent ssl support out of the box:

@tgtje Did you have to do anything at all with .htaccess to get it working?

[realG]

....also, on a completely unrelated note, I now can't get back in, I keep getting redirected to https and get stuck in the redirect loop...f#ck my life .. :)

@CaMer0n I'm pretty sure I've reverted all the changes I've done directly in SitePrefs, I don't have any caching turned on, cleared cookies/browser cache, but even after a server restart I still get redirected. Is there anything I'm missing?

[CaMer0n]

@realG I would disable the redirect in e107, and add the following to your .htaccess file: After RewriteEngine On

    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://YOUR-WEBSITE.com/$1 [R,L]

The e107 redirect was never designed as a method to go from http to https.

[tgtje]

@realG, no i did not made any change to htaccess, for complete use of https (even under php7) i just had to fix some used hardcoded url's that used http instead of https. The rest is basic settings for e107..

---

Dit e-mailbericht is gecontroleerd op virussen met Avast antivirussoftware. https://www.avast.com/antivirus

[realG]

@CaMer0n Ok, thanks, I'll try playing around with .htaccess and see if I can make it work.

..also, just in case anyone also manages to lock themselves out by a change in the admin config as I did yesterday, I forgot that e107 keeps a cached config (S_Config_core.cache.php) in e107_system, so had to delete that after reverting changes in SitePrefs in the db to be able to log back in.

[CaMer0n]

@realG Thanks. That's a good point to share about the cache.

[realG]

@CaMer0n Just an update to this, still having the same issue on 2.1 as before. When I force https through .htaccess, I seem to lose the ability to change any settings through the admin pages. Navigating the site as a user works ok though.

I'll try poking around with the debugger and see if I can stumble on something worth note..

I'm starting to think there is some fundamental incompatibility between the host I'm using (OpenShift) and e107, which is really strange, since I've been also using it for tt-rss, joomla and wordpress and never saw any similar issues to what I'm having now. Here's the list I'm working through now, maybe it's all somehow connected?

• have to use cookies for user tracking, sessions don't seem to work, ie I users cannot log in
• even with cookies, when user logs in on login.php, it just displays a "You are currently logged in." message, instead of loading the main site. You can then manually navigate to index.php and everything works...weird
• Unauthorized access! error when trying to register a new user, mentioned here: #1431
• Redirect loops if I touch any redirect/ssl settings in site admin

[Moc]

This sounds as if the PHP session save path is not set correctly or not writable. Please have your hosting provider check this.

[realG]

@Moc I've tried messing around with session.save_path already. I'm pretty sure that the default save path is set correctly by the host, and I've never had session issues with other projects also hosted on OpenShift, but I've tried modifying it anyway, to a different dir that I know is writeable, and it's still not working.

It looks like e107 does it's own test as well, since when I initially set it manually, I had a typo in the path and the phpinfo page in e107 admin did throw up a warning that session.save_path was not writeable. After I corrected the path, that warning went away, so I assume as far as e107 is concerned that path should now work.

What happens is, when I switch from using cookies to sessions, I go to the login.php page, type in my user/password, hit the Log In button, and the page just seems to refresh. No errors or messages, I just seem to get redirected back to login.php...

[CaMer0n]

@realG, I have a couple of sites running on SSL without a problem, but I would be happy to take a look at your installation and try to track-down the cause of this issue. We can discuss more here: https://gitter.im/e107inc/e107 if you have time. Thanks

btw. I've noticed on some servers, that when a fatal PHP error occurs it returns the user back to the start page (and logs the error to error_log usually).

[CaMer0n]

@realG May we close this one now?

[realG]

@CaMer0n Yes, my e107 site is now running over https like a champ. Thanks for your help!

[Taffman]

Was the problem with login.php ever resolved, I still get this problem, users cannot login into my site if SSL enabled?

[Moc]

@Taffman Please create a new issue and reference this one in there. I have several websites running just fine on HTTPS/SSL. In your new issue, please also describe what happens when a user tries to login. And provide a screenshot of your settings.

[Taffman]

Still running Version 1.0.4 here which I know is no longer supported so cant raise a new issue, just wondered given the age of this thread if the reported issue of login.php just refreshing (empty fields) as reported above was resolved.

[Moc]

All the issues here on Github are for v2.x. As you said v1.x is no longer supported. Please find us on Gitter if you need help with updating to v2.

This current issue is closed as resolved and it not related to your issue. This issue concerned a redirection loop, which has been fixed.