Mixed content (HTTP & HTTPS) while loading app (Nextcloud)

[enoch85]

I don't know if it's a bug or if my setup is wrong, but I'm trying to setup Spreed.Me on a Nextcloud server with Nginx Reverse Proxy in front and Nextcloud on a backend Apache server. This is my setup:

Vhosts

Nginx Vhost

Handles port 443 and 80

``` server { # Cloudflare IP that is masked by mod_real_ip error_page 404 500 502 503 504 /cloud-error.html; location = /cloud-error.html { root /usr/share/nginx/html; internal; } set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; real_ip_header X-Forwarded-For; real_ip_recursive on; listen 192.168.4.201:443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/cloud.techandme.se/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cloud.techandme.se/privkey.pem; ssl_dhparam /etc/nginx/sites-available/cloudflare_ip/cloud.techandme/cloud-dhparams.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; # Only use safe chiphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # Add secure headers add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; # add_header X-Content-Type-Options nosniff; server_name cloud.techandme.se; set $upstream 192.168.4.111; location /webrtc/ws { proxy_pass https://$upstream:443; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location / { proxy_pass_header Authorization; proxy_pass http://$upstream:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_buffering off; proxy_request_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; } } server { listen 192.168.4.201:80; server_name cloud.techandme.se; return 301 https://cloud.techandme.se$request_uri; } ```

Apache Vhost Nextcloud

nextcloud.conf

``` Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Content-Type-Options nosniff ### YOUR SERVER ADDRESS ### ServerAdmin user@email.com ServerName cloud.techandme.se ### SETTINGS ### DocumentRoot /var/www/nextcloud Options Indexes FollowSymLinks AllowOverride All Require all granted Satisfy Any Dav off # just in case if .htaccess gets disabled Require all denied SetEnv HOME /var/www/nextcloud SetEnv HTTP_HOME /var/www/nextcloud ```

Apache Vhost SpreedMe

spreedme.conf (As Include in Apache.conf)

``` ProxyPass http://127.0.0.1:8080/webrtc ProxyPassReverse /webrtc ProxyPass ws://127.0.0.1:8080/webrtc/ws ProxyVia On ProxyPreserveHost On RequestHeader set X-Forwarded-Proto 'https' env=HTTPS ```

Errors

Here are a good summary of all the errors: https://github.com/nextcloud/spreedme-snap/issues/10

Summary

It seems like you need to implement wss so that I can get secure connections, or it's my config that are wrong. Can you please help me here?

Thanks!

[leonklingele]

proxy_pass https://$upstream:443;

This looks wrong to me. It should be proxy_pass http://$upstream; (assuming your spreedme.conf gets loaded in <VirtualHost 192.168.4.111:80>)

[enoch85]

@leonklingele Thanks for your sharp eyes.

Even if I set it to proxy_pass http://$upstream I get:

VM199:35 Mixed Content: The page at 'https://cloud.techandme.se/index.php/apps/spreedme/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://cloud.techandme.se/webrtc/ws'. This request has been blocked; this endpoint must be available over WSS.

And if I allow insecure scripts it works, but works bad. It recognizes my user, but other users can't use it and connect to the same rooms etc, not tested that much though) Any ideas?

[enoch85]

@leonklingele Here is a testroom.

[leonklingele]

Either use RequestHeader set X-Forwarded-Proto 'https' instead of RequestHeader set X-Forwarded-Proto 'https' env=HTTPS or configure your Apache server to listen on 192.168.4.111:443 + revert to proxy_pass https://$upstream;

[enoch85]

RequestHeader set X-Forwarded-Proto 'https' solved it, thanks!