problem when the server is running with https

[Potomac54]

Hello,

Do you know if OJS 3.x can work with secure connections ? (https mode)

I tried to run the image with a server configured to https, and there are problems, css files are not used, I get a raw display (just text),

according to this old thread in the forum I am not alone with this problem : https://forum.pkp.sfu.ca/t/ojs-https-configuration/6679

I tried to set "force_ssl" to on in the config.inc.php file, but it doesn't fix the problem, it makes worse with a redirect loop,

is it a problem with the apache config file provided with the image ? https://github.com/lucasdiedrich/ojs/blob/master/files/etc/apache2/conf.d/ojs.conf

thanks

[lucasdiedrich]

This is hard to tell @Potomac54 , are you using another proxy to reach the container? like traefik for example?

[Potomac54]

I will ask to my colleague, there is probably a proxy, or something complex in the network

[marcbria]

OJS works perfectly fine with https, but secure connections with docker can be a mess.

I made it work with traefik in a clean server (rise a traefik docker, set it correctly, uncomment the docker-config lines and let the hamster do the work for you) , but in my production machine, where docker is living with an apache it's something crazy (apache redirects to traefik and certificates management goes crazy).

If you are lucky and you have a docker only server, traefik will work like a charm.

Publish your doubts in the pkp forum so others can also help with the configuration.

[lucasdiedrich]

Actually, thinking on that again, i might had the same issue before, i was something how the OJS handles the force-ssl using an redirect, and my proxy server (apache at the time) also used to handle the http to https redirection, but for some reason the OJS never putted https for assets. But i don't remember how i fixed that.

Any new about this @Potomac54 ?

[Potomac54]

@marcbria @lucasdiedrich with my colleague we found a solution :

• we removed all virtualhost statements in apache conf (we use a reverse proxy traefik) : https://github.com/lucasdiedrich/ojs/blob/master/files/etc/apache2/conf.d/ojs.conf

and we put these lines :

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule expires_module modules/mod_expires.so

PassEnv HTTPS

ServerName www.example.com
DocumentRoot /var/www/html

RewriteEngine on
<Directory /var/www/html>
    Options FollowSymLinks
    AllowOverride all
    Allow from all

    # This removes index.php from the url
    RewriteCond %{REQUEST_FILENAME} !-d 
    RewriteCond %{REQUEST_FILENAME} !-f 
    RewriteRule ^(.*)$ index.php/$1 [QSA,L]
</Directory>

ErrorLog  /var/log/apache2/error.log  
CustomLog  /var/log/apache2/access.log combined

note the important line : PassEnv HTTPS

HTTPS is a variable we created in Dockerfile :

ENV OJS_VERSION="3_1_2-0"       \
        HTTPS="on" \

because in OJS source code there is a function "getProtocol()" which checks the value of HTTPS web environment variable, if $_SERVER["HTTPS"] is set to "on" then https protocol will be used by OJS,

https://github.com/pkp/pkp-lib/blob/master/classes/core/PKPRequest.inc.php

    /**
     * Get the protocol used for the request (HTTP or HTTPS).
     * @return string
     */
    function getProtocol() {
        if (!isset($this->_protocol)) {
            $this->_protocol = (!isset($_SERVER['HTTPS']) || strtolower_codesafe($_SERVER['HTTPS']) != 'on') ? 'http' : 'https';
            HookRegistry::call('Request::getProtocol', array(&$this->_protocol));
        }
        return $this->_protocol;
    }

so this is the solution if you want to use https on your server : create a variable environment "HTTPS", set to "on" and pass it to apache, with the statement "PassEnv HTTPS"

[lucasdiedrich]

This is interesting, what about adding this the container environment @marcbria ?

[marcbria]

I'm so happy @Potomac54 found a solution but I'm unsure about adding it to the container.

Let me explain: According to PHP manual the $_SERVER['HTTPS'] env variable that is set by the web server. So OJS code need to detect this variable without tricks... if not, it's a bug that need to be fixed in OJS (so we need to report to PKP guys) or is a misconfiguration in the webserver (that we can help you to fix in the PKP forum).

Does it make sense to you?

@Potomac54 this post exposes the full configuration and could be helpful: https://forum.pkp.sfu.ca/t/ojs-31-problem-to-display-content-of-a-journal-with-its-own-domain-in-https-because-of-stylesheet-links-in-http/36067

If not, did you set all the HTTPs vars in ojs config file as follows?

• force_ssl = On
• force_login_ssl = On

To get the picture: Are you working with restful_urls (clean urls)? and base_url? allow_url_fopen? disable_path_info? Did you check the result of <?php var_export($_SERVER)?> in simple "test.php" file? What webservers do you have between the client and the apache of the docker? What is php log saying? and apache? and redirect? Looks like this variable is "false" if you are behind a IIS. Is this the case?

Please @Potomac54 if you got time, explain your case in PKP forum so I can forward you to PKP developers.

[marcbria]

BTW @Potomac54 sorry if I'm implicitly assuming an issue in your server' side. I start with this hypothesis because HTTPS is working fine in every installation I know, but I do not rule out that the problem could be (as you pointed) a bug in the OJS side, as this one:

https://forum.pkp.sfu.ca/t/ojs-3-behind-reverse-proxy-how-to-achieve/25055

This week I will try to test the new image with "Let's encrypt" certificates or snake-oil ones to see if it's only @Potomac54 or a general issue, but till somebody else reports the same issue don't think it's something we need to address in the container.

Do you agree?

[Potomac]

@marcbria : I don't know the details of the reverse proxy used by my colleague, maybe you are right when you said it's not a bug of ojs,

before finding the solution I tried to set these variables :

force_ssl = On
force_login_ssl = On

but it makes the situation worse,

the only solution for me is to create and set an environment variable "HTTPS" to "on", and pass it to apache conf (PassEnv HTTPS)

[lucasdiedrich]

Thats the problem @marcbria, i think we don't pass the HTTPS env variable in no place so OJS can read this. Ensuring this ENV variable exists over the apache file will garantee that the SSL will work independent which proxy the user is using.

[lucasdiedrich]

Already added the hotfix informed by @Potomac @Potomac54. Thanks.