mixed-content blocked behind proxy

[oliviercrouzet]

Hey Sebastian After having tested successfully Typemill on a Vbox, I am trying to make it work on a production server (apache server) which is behind a proxy (nginx) with ssl certificate. Problem : All mixed content are blocked, the site can dispaly but very badly of course. If I understand well, the base url is detected through Slim framework but it seems that it picks the url in http instead of https. Is there a way to force it to https ?

Olivier

[trendschau]

Hi Olivier,

I am not familiar with that setup, but I run my Typemill websites on apache with https/ssl only. Did you already uncomment the http-redirect-rule in the htaccess file on the apache server?

# Use this to redirect HTTP to HTTPS on apache servers
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Yes, the base-url is detected through the Slim framework and I set some security headers depending on https. If that all does not work, then I suppose that the nginx-proxy causes the problem and I am not sure how to solve it within the Typemill applications...

[oliviercrouzet]

I had already tried to uncomment these lines.. with a worse result. In reality my typemill documentation site is in its very web directory but as an apache alias of a main https site. Probably, as you pointed out, there is likely to to do something at nginx level (but my colleagues in charge of this are a bit overbooked these times). I found, in my empiric way of very-far-from-being-a-php-geek, a solution to force Slim to https. In Uri class (system/vendor/slim/slim/Slim/http/Uri.php), I set 'https' in hard copy to scheme value :

public function __construct(
        $scheme,
        $host,
        $port = null,
        $path = '/',
        $query = '',
        $fragment = '',
        $user = '',
        $password = ''
    ) {
        //$this->scheme = $this->filterScheme($scheme);
        $this->scheme = 'https';

That do the trick but I assume there should be a more orthodox way to proceed. and maybe some counter effects ?

Olivier

[trendschau]

Hi Olivier,

if that is the solution, then your setup seems to call the http version instead of the https-version of the website. In fact I do a similar check with that scheme in the content controller here: https://github.com/typemill/typemill/blob/master/system/Controllers/Controller.php

        if($this->c->request->getUri()->getScheme() == 'https')
        {
            $response = $response->withAddedHeader('Strict-Transport-Security', 'max-age=63072000');
        }

I could create some kind of hidden configuration in the settings.yaml to force https in the next release. But it feels a bit like fixing a setup problem within typemill ...

Let me know what you think ...

Sebastian

[oliviercrouzet]

Hey Sebastian, I agree with you. I can understand you have priorities enough not to deal with this kind of specific config problem. May be if other users should complain of the same problem... As of now, I can go with this workaround. just be aware of this when updating

Olivier

[trendschau]

Hi Olivier,

thank you, I think I will check if a setting "forced https" is easy to integrate. If it is only some lines of code, then I can add it to the next release as a hidden feature for the settings.yaml-file...

Sebastian

[trendschau]

Hi Olivier,

I made a quick research into this but I cannot find a clean way to manipulate the scheme and I do not want to overwrite a core constructor of slim framework. The only way I found in other solutions is to check the scheme and to redirect http to https then. But this probably won't help in your case because your main site is https already as you said.

Reading your post again I see that you use an "apache alias of a main https site". I am not super familiar with that topic but you could try to use mod_rewrite instead of mod_alias. The htaccess should work then and mod_rewrite is the correct way to deal with https-redirects. As far as I understand the mod_alias cannot handle schemes.

Does that help? I will close this ticket then...

[trendschau]

Create middleware for proxy setup and use X-Forwareded header. See: https://github.com/slimphp/Slim/issues/1861

[trendschau]

Pushed to develop branch, proxy support will be part of version 1.4.0.

In settings, there is a checkbox for proxy now. Additionally the admin can add a comma separated list of trusted ip adresses. If there are IP adresses added, then the system checks the REMOTE_ADDR header for that IP and only applies proxy support if the IP is in the list.

For proxy support the script checks for the X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Port Headers and rewrites the scheme.

Used the proxy detection middleware by akrabat: https://github.com/akrabat/proxy-detection-middleware

[trendschau]

published with version 1.4.0