Mixed SSL Content Preventing Joomla Installation/Operation with Nginx
Joomla v3.7: Installation & Operation
Firstly, a test of Joomla v3.7.x beta from GitHub as of 30 Dec 2016, appears to indicate that this is not an issue with that version. The version can be installed and operated without further intervention.
This was tested with proxy_set_header X-Forwarded-Proto $scheme;, discussed below, already in place but without the need to set live_site variable in configuration.php.
Joomla v3.6: Installation
If you try to install on a site already secured with SSL and a strict transport policy etc, the installation will fail due to mixed content. This failure is triggered when you press "Next" after filling in the items for Step 1 of 3 for the installation.
Note that this is a silent failure and you will simply find that there is no response after pressing the "Next" button. The only way to know there has been an error, is to check your js console.
To get around this, you will have to do some hacking:
- Around Line 357 in
/Installation/template/js/installation.js,changebaseUrl = _base;tobaseUrl =_base.replace("http://","https://"); - Save and then start the installation.
Remember to clear your browser cache if you had already loaded the installation page before taking this action.
The installation folder is deleted after installation so this one-off hack is trivial.
Joomla v3.6: Operation
Key thing is to remember NOT to set the force_ssl parameter in configuration.php or Global Configuration in the Joomla Admin. The default value of '0' doesn't mean use NONSSL as the wording may suggest, but to maintain the protocol used for the current request. See notes in /libraries/joomla/application/route.php.
A) If using Nginx and FastCGI, such as PHP-FPM:
- In Joomla, set the
live_sitevariable in configuration.php tohttps://example.com/path/to/joomla - In Nginx, set
fastcgi_param HTTPS "on";in the location blockhanding php
B) If using Nginx and proxying PHP to Apache:
(In order of most to least desirable approach)
1. If mod_rpaf is enabled in Apache:
- In configuration.php in Joomla, set the
live_sitevariable tohttps://example.com/path/to/joomla In the location block handing php in Nginx,
- Set
proxy_set_header X-Forwarded-Proto $scheme; - Set
proxy_set_header X-Forwarded-Port $server_port; - Set
proxy_set_header X-Forwarded-HTTPS "on";
Note that there are two versions of mod_rpaf around. The older, original version with a "0.6" version tag is most likely to be found after a web search.
While it works perfectly well for forwarding the Real IP from a reverse proxy, it does not do the other things needed here. The newer, independently developed one, forwards the Real IP, Real Port, and, Real Protocol.
Unfortunately, if installing using a package manager, you will almost certainly get the older version. So download from GitHub and install manually
- Set
2. If mod_setenvif is enabled in Apache:
- In configuration.php in Joomla, set the
live_sitevariable tohttps://example.com/path/to/joomla - In the location block handing php in Nginx, set
proxy_set_header X-Forwarded-Proto $scheme; - In Apache, set
SetEnvIfNoCase X-Forwarded-Proto https HTTPS=onin the relevant htaccess or conf file
3. If neither mod_rpaf nor mod_setenvif is available in Apache:
- In Joomla
- In configuration.php, set the
live_sitevariable tohttps://example.com/path/to/joomla - Around Line 73 in
/libraries/joomla/document/renderer/html/head.php, change$base = $document->getBase();to$base = str_replace("http://", "https://", $document->getBase());
- In configuration.php, set the
In the location block handing php in Nginx, set
proxy_set_header X-Forwarded-Proto $scheme;This involves editing core Joomla files but as the next expected update is v3.7 where this issue appears resolved with the Nginx proxy_set_header directive in place, an upgrade should not result in any issues
References/Sources
I found in "libraries/joomla/uri/uri.php", around line 65 this code:
// Determine if the request was over SSL (HTTPS).if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')){ $https = 's://';}else{ $https = '://';}It looks like that here the application is detecting it's SSL connection and obviously, fails when the server is behind a proxy that handles the SSL connection. For a test, I changed the else to 's://' and restored all other (previous) hacks. The " Mixed Content" issues are solved.However, one extension (OS Membership Pro) is having a strange issue now.
The Joomla Core Developer should look into this, providing a overwrite to force SSL. The "force_ssl" setting in configuration.php is not working as expected.