I must be missing something obvious but I cannot install Joomla 3.6.5 on a site with SSL already in place due to mixed content.
I get the following in my browser console:
Mixed Content: The page at 'https://example.com/joomla/installation/index.php' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/joomla/installation/index.php'. This request has been blocked; the content must be served over HTTPS.
XMLHttpRequest cannot load http://example.com/joomla/installation/index.php. Failed to start loading.
Web searches for "Joomla Installation on SSL" and similar all generate pages that assume a search for how to introduce SSL AFTER
installation.
Appreciate ideas on how to avoid having to switch off SSL just to install Joomla.
EDIT
Turns out this is an issue related to SSL Termination using a reverse proxy such as Nginx and that this does not affect Apache given the way Joomla v3.6 is written to operate.
Joomla v3.7: Installation & Operation
Firstly, a test of Joomla v3.7.x beta from GitHub as of 30 Dec 2016, appears to indicate that this is not an issue with that version. The version can be installed and operated without further intervention.
This was tested with
proxy_set_header X-Forwarded-Proto $scheme;
, discussed below, already in place but without the need to setlive_site
variable in configuration.php.Joomla v3.6: Installation
If you try to install on a site already secured with SSL and a strict transport policy etc, the installation will fail due to mixed content. This failure is triggered when you press "Next" after filling in the items for Step 1 of 3 for the installation.
Note that this is a silent failure and you will simply find that there is no response after pressing the "Next" button. The only way to know there has been an error, is to check your js console.
To get around this, you will have to do some hacking:
/Installation/template/js/installation.js
, changebaseUrl = _base;
tobaseUrl = _base.replace("http://","https://");
Remember to clear your browser cache if you had already loaded the installation page before taking this action.
The installation folder is deleted after installation so this one-off hack is trivial.
Joomla v3.6: Operation
Key thing is to remember NOT to set the force_ssl parameter in configuration.php or Global Configuration in the Joomla Admin. The default value of '0' doesn't mean use NONSSL as the wording may suggest, but to maintain the protocol used for the current request. See notes in
/libraries/joomla/application/route.php
.A) If using Nginx and FastCGI, such as PHP-FPM:
live_site
variable in configuration.php tohttps://example.com/path/to/joomla
fastcgi_param HTTPS "on";
in the location block handing phpB) If using Nginx and proxying PHP to Apache:
(In order of most to least desirable approach)
1. If mod_rpaf is enabled in Apache:
live_site
variable tohttps://example.com/path/to/joomla
In the location block handing php in Nginx,
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-HTTPS "on";
Note that there are two versions of mod_rpaf around. The older, original version with a "0.6" version tag is most likely to be found after a web search.
While it works perfectly well for forwarding the Real IP from a reverse proxy, it does not do the other things needed here. The newer, independently developed one, forwards the Real IP, Real Port, and, Real Protocol.
Unfortunately, if installing using a package manager, you will almost certainly get the older version. So download from GitHub and install manually
2. If mod_setenvif is enabled in Apache:
live_site
variable tohttps://example.com/path/to/joomla
proxy_set_header X-Forwarded-Proto $scheme;
SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on
in the relevant htaccess or conf file3. If neither mod_rpaf nor mod_setenvif is available in Apache:
live_site
variable tohttps://example.com/path/to/joomla
/libraries/joomla/document/renderer/html/head.php
, change$base = $document->getBase();
to$base = str_replace("http://", "https://", $document->getBase());
In the location block handing php in Nginx, set
proxy_set_header X-Forwarded-Proto $scheme;
This involves editing core Joomla files but as the next expected update is v3.7 where this issue appears resolved with the Nginx proxy_set_header directive in place, an upgrade should not result in any issues
References/Sources