Issue
I'm trying to configure nginx as reverse proxy (using an nginx docker container running via network_mode: host
) for a tine20 docker container (which uses apache2 as webserver).
I'm using the following reverse proxy configuration:
server {
listen 443 ssl http2;
server_name ${DOMAIN};
ssl_certificate /etc/letsencrypt/live/${PATH}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${PATH}/privkey.pem;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
root /etc/letsencrypt/webrootauth;
location / {
proxy_pass http://${UPSTREAM};
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache anonymous;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
location /.well-known/acme-challenge {
alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
}
}
server {
listen 80;
server_name ${DOMAIN};
return 301 https://$server_name$request_uri;
}
Apache inside the tine20 container uses the following configuration:
# Apache and PHP configuration for Tine 2.0
#
# Alias /tine20 /usr/share/tine20
# Alias /Microsoft-Server-ActiveSync /usr/share/tine20/Microsoft-Server-ActiveSync
# some people prefer a simple URL like http://tine20.example.org
# in this case you also have to disable to Alias lines above
<VirtualHost *:80>
DocumentRoot /usr/share/tine20
ServerName ${SERVER_NAME}
</VirtualHost>
<Directory /usr/share/tine20>
Order Allow,Deny
Allow from all
DirectoryIndex index.php
Options +ExecCGI
<IfModule mod_php5.c>
Define PHP_MODULE_INSTALLED
</IfModule>
<IfModule mod_php7.c>
Define PHP_MODULE_INSTALLED
</IfModule>
<IfDefine PHP_MODULE_INSTALLED>
php_admin_value max_input_time 120
php_admin_value include_path .:/usr/share/tine20:/usr/share/tine20/library:/usr/share/tine20/vendor/zendframework/zendframework1/library:/etc/tine20
php_admin_value open_basedir /usr/share/tine20:/var/lib/tine20:/tmp:/usr/share/php:/etc/tine20:/var/log/tine20
php_admin_value session.gc_maxlifetime 86400
php_admin_value memory_limit 128M
php_admin_value upload_max_filesize 20M
php_admin_value post_max_size 20M
php_admin_value safe_mode off
php_admin_flag display_errors off
php_admin_flag log_errors on
php_admin_flag magic_quotes_gpc off
php_admin_flag magic_quotes_runtime off
php_admin_flag register_globals off
<IfModule mod_headers.c>
# activate zlib compression and remove content-length header
# this is necessary because of this php bug: https://bugs.php.net/bug.php?id=44164
php_admin_flag zlib.output_compression on
<FilesMatch "\.php$">
Header unset Content-Length
</FilesMatch>
</IfModule>
php_value max_execution_time 90
</IfDefine>
<IfModule mod_rewrite.c>
RewriteEngine on
# needs to be adopted if tine20 is not in subdir /tine20
RewriteBase /tine20
# ActiveSync
RewriteRule ^Microsoft-Server-ActiveSync index.php?frontend=activesync [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
# OpenID
RewriteRule ^users/(.*) index.php?frontend=openid&username=$1 [L,QSA]
# WebDAV / CalDAV / CardDAV
RewriteCond %{REQUEST_METHOD} !^(GET|POST)$
RewriteRule ^$ index.php?frontend=webdav [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
RewriteRule ^addressbooks index.php?frontend=webdav [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
RewriteRule ^calendars index.php?frontend=webdav [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
RewriteRule ^webdav index.php?frontend=webdav [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
RewriteRule ^principals index.php?frontend=webdav [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
RewriteRule ^remote.php index.php?frontend=webdav [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
# Anonymous downloads
RewriteRule ^download/get/(.*) index.php?method=Download.downloadNode&path=$1 [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
RewriteRule ^download/show/(.*) index.php?method=Download.displayNode&path=$1 [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
# Routing
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php?doRouting=1 [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
</IfModule>
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/json
<IfModule mod_headers.c>
# properly handle requests coming from behind proxies
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
</Directory>
Using this configuration I'm running into the following error displayed in the Firefox Developer Console log:
Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure script 'http://localhost/Tinebase/js/fatClient.js-c79fcf9f7cddb7b5e69e-FAT.js'. This request has been blocked; the content must be served over HTTPS.
(index):1 Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure script 'http://localhost/index.php?method=Tinebase.getJsTranslations&locale=en&app=all&version=ce92dfccacd6bf202116c419e856ffea17b37604'. This request has been blocked; the content must be served over HTTPS.
To reproduce this error and may experiment with the configurations follow the instructions in this repository.
The problem with this error is, that the tine20 application hosted from the docker container, gets stuck loading forever when accessing the login page (https://localhost/), because the script files get blocked by the browser.
If you copy the requested http urls from the developer console and paste the m into the url bar, the script gets loaded and is also correctly redirected to the https address (via the 301).
Now I don't really understand why the error arises and what to do to get the content correctly loaded.
Solution
Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure script 'http://localhost/Tinebase/js/fatClient.js-c79fcf9f7cddb7b5e69e-FAT.js'. This request has been blocked; the content must be served over HTTPS.
The solution for your problem is in the last bit of the above error message This request has been blocked; the content must be served over HTTPS.
So your are serving some assets over http
when the page is being loaded over https
and browsers don't allow that for a long time now.
The reason the page stucks is because the asset being blocked by the server *FAT.js
must be necessary to render the page.
Fix the source code to load it over the schema the page is being served by using a relative schema, aka without the http(s)
bit, just starting as //example.com/path/to/something
.
In your specific case change to:
//localhost/Tinebase/js/fatClient.js-c79fcf9f7cddb7b5e69e-FAT.js
This way it will load the resource using the same http schema being used by the page that is loading it.
Repeat this for each resource that throws this message:
This request has been blocked; the content must be served over HTTPS.
Answered By - Exadra37 Answer Checked By - Clifford M. (PHPFixing Volunteer)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.