Mixed SSL Content Preventing Joomla Installation/Operation with Nginx

2.4k views Asked by At

I must be missing something obvious but I cannot install Joomla 3.6.5 on a site with SSL already in place due to mixed content.

I get the following in my browser console:

Mixed Content: The page at 'https://example.com/joomla/installation/index.php' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/joomla/installation/index.php'. This request has been blocked; the content must be served over HTTPS.

XMLHttpRequest cannot load http://example.com/joomla/installation/index.php. Failed to start loading.

Web searches for "Joomla Installation on SSL" and similar all generate pages that assume a search for how to introduce SSL AFTER installation.

Appreciate ideas on how to avoid having to switch off SSL just to install Joomla.

EDIT

Turns out this is an issue related to SSL Termination using a reverse proxy such as Nginx and that this does not affect Apache given the way Joomla v3.6 is written to operate.

2

There are 2 answers

0
Dayo On BEST ANSWER

Joomla v3.7: Installation & Operation

Firstly, a test of Joomla v3.7.x beta from GitHub as of 30 Dec 2016, appears to indicate that this is not an issue with that version. The version can be installed and operated without further intervention.

This was tested with proxy_set_header X-Forwarded-Proto $scheme;, discussed below, already in place but without the need to set live_site variable in configuration.php.


Joomla v3.6: Installation

If you try to install on a site already secured with SSL and a strict transport policy etc, the installation will fail due to mixed content. This failure is triggered when you press "Next" after filling in the items for Step 1 of 3 for the installation.

Note that this is a silent failure and you will simply find that there is no response after pressing the "Next" button. The only way to know there has been an error, is to check your js console.

To get around this, you will have to do some hacking:

  • Around Line 357 in /Installation/template/js/installation.js, change baseUrl = _base; to baseUrl = _base.replace("http://","https://");
  • Save and then start the installation.

Remember to clear your browser cache if you had already loaded the installation page before taking this action.

The installation folder is deleted after installation so this one-off hack is trivial.


Joomla v3.6: Operation

Key thing is to remember NOT to set the force_ssl parameter in configuration.php or Global Configuration in the Joomla Admin. The default value of '0' doesn't mean use NONSSL as the wording may suggest, but to maintain the protocol used for the current request. See notes in /libraries/joomla/application/route.php.

A) If using Nginx and FastCGI, such as PHP-FPM:

  • In Joomla, set the live_site variable in configuration.php to https://example.com/path/to/joomla
  • In Nginx, set fastcgi_param HTTPS "on"; in the location block handing php

B) If using Nginx and proxying PHP to Apache:

(In order of most to least desirable approach)

1. If mod_rpaf is enabled in Apache:

  • In configuration.php in Joomla, set the live_site variable to https://example.com/path/to/joomla
  • In the location block handing php in Nginx,

    • Set proxy_set_header X-Forwarded-Proto $scheme;
    • Set proxy_set_header X-Forwarded-Port $server_port;
    • Set proxy_set_header X-Forwarded-HTTPS "on";

    Note that there are two versions of mod_rpaf around. The older, original version with a "0.6" version tag is most likely to be found after a web search.

    While it works perfectly well for forwarding the Real IP from a reverse proxy, it does not do the other things needed here. The newer, independently developed one, forwards the Real IP, Real Port, and, Real Protocol.

    Unfortunately, if installing using a package manager, you will almost certainly get the older version. So download from GitHub and install manually

2. If mod_setenvif is enabled in Apache:

  • In configuration.php in Joomla, set the live_site variable to https://example.com/path/to/joomla
  • In the location block handing php in Nginx, set proxy_set_header X-Forwarded-Proto $scheme;
  • In Apache, set SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on in the relevant htaccess or conf file

3. If neither mod_rpaf nor mod_setenvif is available in Apache:

  • In Joomla
    • In configuration.php, set the live_site variable to https://example.com/path/to/joomla
    • Around Line 73 in /libraries/joomla/document/renderer/html/head.php, change $base = $document->getBase(); to $base = str_replace("http://", "https://", $document->getBase());
  • In the location block handing php in Nginx, set proxy_set_header X-Forwarded-Proto $scheme;

    This involves editing core Joomla files but as the next expected update is v3.7 where this issue appears resolved with the Nginx proxy_set_header directive in place, an upgrade should not result in any issues


References/Sources

  1. https://joomla.stackexchange.com/questions/1021/reverse-ssl-proxy-support
  2. https://forum.joomla.org/viewtopic.php?t=845318#p3313092
  3. https://www.hiawatha-webserver.org/forum/topic/1906
3
ScrewItFix On

I found in "libraries/joomla/uri/uri.php", around line 65 this code:

// Determine if the request was over SSL (HTTPS).
if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off'))
{
    $https = 's://';
}
else
{
    $https = '://';
}

It looks like that here the application is detecting it's SSL connection and obviously, fails when the server is behind a proxy that handles the SSL connection. For a test, I changed the else to 's://' and restored all other (previous) hacks. The " Mixed Content" issues are solved. However, one extension (OS Membership Pro) is having a strange issue now.

The Joomla Core Developer should look into this, providing a overwrite to force SSL. The "force_ssl" setting in configuration.php is not working as expected.