search

open-eats / OpenEats

:pizza: Self Hosted Recipe Management App :hamburger:
https://open-eats.github.io/
MIT License
669 stars 102 forks source link

SSL Mixed Content #128

Closed adaptiman closed 4 years ago

adaptiman commented 4 years ago

I've successfully setup an OpenEats site at https://www.cookbook.thesweeneys.org. I've secured it with Let's Encrypt. Even though the main site content is served securely, for some reason, all images in the /site-media/ folder are being served via http rather than https. I know that this is probably an Nginx configuration issue, but thought I would see if anyone has had this issue. I've searched all of the repos for incidents of http:// rather than relative paths, but haven't found anything. Thanks for any help you can give.

UPDATE (5/30): After carefully examining Nginx, it appears that the React-Redux container (i.e., openeats-web) is constructing an http:// URL. I'm not familiar enough with this framework to troubleshoot it.

Here's my Nginx default.conf file:

upstream api {
  ip_hash;
  server api:API_PORT;
}

server {
    listen      80;
    listen [::]:80;
    server_name cookbook.thesweeneys.org www.cookbook.thesweeneys.org;

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    #for certbot challenges (renewal process)
    location ~ /.well-known/acme-challenge {
        allow all;
        root /data/letsencrypt;
    }
}

# https://cookbook.thesweeneys.org
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cookbook.thesweeneys.org;

    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/cookbook.thesweeneys.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cookbook.thesweeneys.org/privkey.pem;

    ssl_buffer_size 8k;

    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
#    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;

    return 301 https://www.cookbook.thesweeneys.org$request_uri;
#    return https://www.cookbook.thesweeneys.org$request_uri;
}

# https://www.cookbook.thesweeneys.org
server {
    server_name www.cookbook.thesweeneys.org;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;

    ssl on;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
#    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;

    ssl_certificate /etc/letsencrypt/live/cookbook.thesweeneys.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cookbook.thesweeneys.org/privkey.pem;

    location / {
        root /var/www/html/openeats-static/public-ui;
        try_files $uri $uri/ /index.html;
    }

    location /static/  {
        root /var/www/html/openeats-static/public-ui;
        gzip on;
        gzip_types text/plain text/xml text/css
            text/comma-separated-values
            text/javascript application/x-javascript
            application/javascript
            application/atom+xml;

        expires max;
    }

    location /api/ {
        proxy_pass http://api;
        proxy_set_header Host $http_host;
    }

    location /admin/ {
        proxy_pass http://api;
        proxy_set_header Host $http_host;
    }

    location /static-files/ {
        root /var/www/html/openeats-static;
        try_files $uri /static-files/$uri;
    }

    location /site-media/ {
        root /var/www/html/openeats-static;
        try_files $uri /site-media/$uri;
    }
}
CMclarty commented 4 years ago

I'm having the same issue, but with the API;

Mixed Content: The page at 'https://sub.domain.uk/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://hostip:port/api/v1/news/entry/'. This request has been blocked; the content must be served over HTTPS.

Accessing at hostip:port works fine.

adaptiman commented 4 years ago

I was able to fix this by editing the openeats-api app at about line 215 by specifying the full URL:

# URL that handles the media served from MEDIA_ROOT. Make sure to use a
# trailing slash if there is a path component (optional in other cases).
# Examples: "http://media.lawrence.com", "http://example.com/media/"
MEDIA_URL = 'https://www.mywebsite.com/site-media/'

I don't know if this will work for the API since I'm not having a problem with that piece.

seebag commented 3 years ago

Got the same issue. I replace the MEDIA_URL part with : MEDIA_URL = os.environ.get('NODE_API_URL', '') + '/site-media/' I think it could be a generic way to solve this issue ?