[FIXED] How to configure NGINX correctly as reverse proxy for tine20 docker container (which runs with Apache2)?

Issue

I'm trying to configure nginx as reverse proxy (using an nginx docker container running via network_mode: host) for a tine20 docker container (which uses apache2 as webserver).

I'm using the following reverse proxy configuration:

server {
    listen                    443 ssl http2;
    server_name               ${DOMAIN};

    ssl_certificate           /etc/letsencrypt/live/${PATH}/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/${PATH}/privkey.pem;
    ssl_dhparam               /etc/ssl/dhparams.pem;

    ssl_ciphers               "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache         shared:SSL:10m;
    add_header                Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
    add_header                X-Frame-Options SAMEORIGIN;
    add_header                X-Content-Type-Options nosniff;
    ssl_session_tickets       off;
    ssl_stapling              on;
    ssl_stapling_verify       on;

    root                      /etc/letsencrypt/webrootauth;

    location / {
    proxy_pass              http://${UPSTREAM};
    proxy_set_header        Host $host;
    proxy_set_header        X-Forwarded-For $remote_addr;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_cache             anonymous;
    proxy_buffering         off;
    proxy_http_version      1.1;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection $http_connection;
    }

    location /.well-known/acme-challenge {
    alias                   /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
    location ~ /.well-known/acme-challenge/(.*) {
        add_header            Content-Type application/jose+json;
    }
    }
}

server {
    listen                    80;
    server_name               ${DOMAIN};
    return                    301 https://$server_name$request_uri;
}

Apache inside the tine20 container uses the following configuration:

# Apache and PHP configuration for Tine 2.0
#

# Alias /tine20                      /usr/share/tine20
# Alias /Microsoft-Server-ActiveSync /usr/share/tine20/Microsoft-Server-ActiveSync

# some people prefer a simple URL like http://tine20.example.org
# in this case you also have to disable to Alias lines above
<VirtualHost *:80>
DocumentRoot /usr/share/tine20
ServerName   ${SERVER_NAME}
</VirtualHost>

<Directory /usr/share/tine20>
    Order Allow,Deny
    Allow from all

    DirectoryIndex index.php

    Options +ExecCGI

    <IfModule mod_php5.c>
        Define PHP_MODULE_INSTALLED
    </IfModule>

    <IfModule mod_php7.c>
        Define PHP_MODULE_INSTALLED
    </IfModule>

    <IfDefine PHP_MODULE_INSTALLED>
        php_admin_value max_input_time          120
        php_admin_value include_path            .:/usr/share/tine20:/usr/share/tine20/library:/usr/share/tine20/vendor/zendframework/zendframework1/library:/etc/tine20
        php_admin_value open_basedir            /usr/share/tine20:/var/lib/tine20:/tmp:/usr/share/php:/etc/tine20:/var/log/tine20
        php_admin_value session.gc_maxlifetime  86400
        php_admin_value memory_limit            128M
        php_admin_value upload_max_filesize     20M
        php_admin_value post_max_size           20M

        php_admin_value safe_mode               off
        php_admin_flag  display_errors          off
        php_admin_flag  log_errors              on
        php_admin_flag  magic_quotes_gpc        off
        php_admin_flag  magic_quotes_runtime    off
        php_admin_flag  register_globals        off

        <IfModule mod_headers.c>
            # activate zlib compression and remove content-length header
            # this is necessary because of this php bug: https://bugs.php.net/bug.php?id=44164
            php_admin_flag  zlib.output_compression on
            <FilesMatch "\.php$">
                Header unset Content-Length
            </FilesMatch>
        </IfModule>

        php_value       max_execution_time      90
    </IfDefine>

    <IfModule mod_rewrite.c>
        RewriteEngine on

        # needs to be adopted if tine20 is not in subdir /tine20
        RewriteBase /tine20

        # ActiveSync
        RewriteRule ^Microsoft-Server-ActiveSync index.php?frontend=activesync         [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]

        # OpenID
        RewriteRule ^users/(.*)                  index.php?frontend=openid&username=$1 [L,QSA]

        # WebDAV / CalDAV / CardDAV
        RewriteCond %{REQUEST_METHOD} !^(GET|POST)$
        RewriteRule ^$                           index.php?frontend=webdav             [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]

        RewriteRule ^addressbooks                index.php?frontend=webdav             [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
        RewriteRule ^calendars                   index.php?frontend=webdav             [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
        RewriteRule ^webdav                      index.php?frontend=webdav             [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
        RewriteRule ^principals                  index.php?frontend=webdav             [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
        RewriteRule ^remote.php                  index.php?frontend=webdav             [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]

        # Anonymous downloads
        RewriteRule ^download/get/(.*)           index.php?method=Download.downloadNode&path=$1 [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
        RewriteRule ^download/show/(.*)          index.php?method=Download.displayNode&path=$1  [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]

        # Routing
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php?doRouting=1 [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]
</IfModule>

    <IfModule mod_expires.c>
        ExpiresActive on

        ExpiresByType image/gif              "access plus 1 month"
        ExpiresByType image/jpeg             "access plus 1 month"
        ExpiresByType image/png              "access plus 1 month"
        ExpiresByType text/css               "access plus 1 month"
        ExpiresByType application/javascript "access plus 1 month"
    </IfModule>

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/json

        <IfModule mod_headers.c>
            # properly handle requests coming from behind proxies
            Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </IfModule>
</Directory>

Using this configuration I'm running into the following error displayed in the Firefox Developer Console log:

Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure script 'http://localhost/Tinebase/js/fatClient.js-c79fcf9f7cddb7b5e69e-FAT.js'. This request has been blocked; the content must be served over HTTPS. (index):1 Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure script 'http://localhost/index.php?method=Tinebase.getJsTranslations&locale=en&app=all&version=ce92dfccacd6bf202116c419e856ffea17b37604'. This request has been blocked; the content must be served over HTTPS.

To reproduce this error and may experiment with the configurations follow the instructions in this repository.

The problem with this error is, that the tine20 application hosted from the docker container, gets stuck loading forever when accessing the login page (https://localhost/), because the script files get blocked by the browser.

If you copy the requested http urls from the developer console and paste the m into the url bar, the script gets loaded and is also correctly redirected to the https address (via the 301).

Now I don't really understand why the error arises and what to do to get the content correctly loaded.

Solution

Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure script 'http://localhost/Tinebase/js/fatClient.js-c79fcf9f7cddb7b5e69e-FAT.js'. This request has been blocked; the content must be served over HTTPS.

The solution for your problem is in the last bit of the above error message This request has been blocked; the content must be served over HTTPS.

So your are serving some assets over http when the page is being loaded over https and browsers don't allow that for a long time now.

The reason the page stucks is because the asset being blocked by the server *FAT.js must be necessary to render the page.

Fix the source code to load it over the schema the page is being served by using a relative schema, aka without the http(s) bit, just starting as //example.com/path/to/something.

In your specific case change to:

//localhost/Tinebase/js/fatClient.js-c79fcf9f7cddb7b5e69e-FAT.js

This way it will load the resource using the same http schema being used by the page that is loading it.

Repeat this for each resource that throws this message:

This request has been blocked; the content must be served over HTTPS.

Answered By - Exadra37

Answer Checked By - Clifford M. (PHPFixing Volunteer)