Mixed content causing ssl issue

rileydog · July 26, 2016, 4:02pm

HI,

I have my site set to use ssl. I've done this before on the same site, works fine. Then i deleted that plone isntance for new instance. Now I get the 'connection not secure' in the browser.

In my hosting site I have the redirect and the .htaccess configured properly (per my host tech support)
Looking at the page content info, it looks like the theme is sending out info on http vs https.

Is there a setting I need to change to fix this?

thanks for any help.

zopyx · July 26, 2016, 4:16pm

For mixed content you should usually see related messages inside the developer console of your browser.

There is usually nothing to fix on the Plone side unless you are using somewhere hard-coded http:// URLs e.g. referencing external resources like webfonts over http instead of https.

-aj

rileydog · July 26, 2016, 4:33pm

the theme is calling http. Is that the problem

Welcome to Plone — LWHSBoosters

  <div id="portal-header">
<a id="portal-logo" title="LWHSBoosters" href="http://lwhsboosters.org">
<img src="http://lwhsboosters.org/logo.png" alt="Plone site" title="Plone site" /></a>

peter · July 28, 2016, 11:02am

I see http links in the text you provided. It looks that when you load that page into your https-browser window it wants to retrieve/pull-in pure http content (see the http urls/links in the text you pasted). In IExplorer you will get for example Mixed content warnings... change http links into https and the warning should disappear.

rileydog · July 29, 2016, 5:31pm

Hi Peter, yes, that is the problem, thanks.

Now, why is plone doing that? I know I had this issue before and figured it out, but can't remember.

I looked in Plone, and from responses here, I'm told there are no plone settings that would effect this. So, how to get the theme material to be https?

Any ideas.

vangheem · July 29, 2016, 6:26pm

This is controlled by your rewrite rule. Can you share your proxy configuration?

peter · July 30, 2016, 8:45pm

A very common reason for this is that you use an Add-on product that uses a java-script with an http:// url inside hard coded. That JavaScript loads in your browser IEXplorer and when executed IExplorer warns you when you have accessed your Plone via https.

A possible way to track the error is this:
When you visit your website via IExplorer and the Mixed Content error is shown then right-click on the page and choose: Inspect Element
Click on Console and reload the page. You will see which script is causing the error. Maybe that gives a hint for the package "in crime". Remove that package /product and visit the page again.

I had such error with the EEA Annotator (inline comments) 3.1

rileydog · September 4, 2016, 7:15pm

Hi @peter and @vangheem

I've had other issues with this site so Ive been away from this issue.

I did what peter suggested and I did see errors. One was for the slideshow in portlet, which I removed. Then I saw so many other issues I realized it has to be something else. note in addition to products causing issues, it references plone in general (e.g. Barcelona theme)

I'd appreciate any help. I use to have this site working fine as https, then had to delete site and started over, then these issues.

here are the errors shown in the console:

zopyx · September 4, 2016, 7:29pm

So what is your point?
The error message is clear because of using mixed content.
You need to check the CORS headers here in order to relax the browser checks.

-aj

rileydog · September 4, 2016, 7:48pm

@zopyx The issue to me is this is a basic install of Plone using default theme and I get problems. I assume I am doing something work in that I have the nearly same (plone 5 but not 5.505 ) on same host working (site is docentims.com). So I assume I am doing something wrong. I did more investigation:

Based on host docs, I have this rewrite rule:

=======================
Options +FollowSymLinks

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Note: I also tried: ".... %{lwhsboosters.org}% ..." still didn't work

the rewrite works in that: lwhsboosters.org (http) is sent to lwhsboosters.org (https)
I see the problem is that the site is looking for content from the 'http' site
but I don't know why.

What am I missing??

zopyx · September 4, 2016, 8:01pm

I assume that the browser is the performing the checks before fetching the actual data.
You can rewrite whatever you want when the browser blocks these requests in advance.

-aj

dieter · September 5, 2016, 7:18am

Likely, this is an information only.

This message (and its friends) tells you that a page obtained via "https" accesses resources via the "http" protocol and thereby potentially leaks sensitive information. I am not sure whether the browser treats this only as an information/a warning (and nevertheless fetches the page) or as an error (and does not use the resource).

Ideally, resources should be accessed via host relative urls (i.e. starting with "/") or via urls generated on access of the page (thereby using the same protocol as the page itself). Looks like this were not the case for you. Manual error, caching or a form of compilation (e.g. bundling) might be responsible for those kinds of errors. I would look at the html source of your page and try to get hints what component generated the url and then look at the corresponding source[s] to determine where to intervene.

rileydog · September 5, 2016, 6:08pm

@dieter
thanks for the help.

I understand what you are saying, especially in the second paragraph: "Ideally, resourses should be accessed.." Per your explanation, this would ensure that everything on the https page was referenced using https Makes sense.

Here is what confuses me: this is a simple, no changes Plone installation using the default theme. Also, I have another site (docentims.com) that has the same setup (using Plone 5.0.2 vs. Plone 5.0.5 on this problem site) and it works fine, has without any changes discussed here. How can this be? How can a OOTB Plone installation have these issues one installation and not on the other??

Some more details, the SSL cert is installed properly (the cert owner name and details is correct). Also, the site does not load properly because of this issue. Finally, if you take the option of ignoring this issue for a one time thing, the page sort of loads. However, trying to login gets a "There was an error loading modal." pop up error.

Any thoughts on this new information??

espenmn · September 5, 2016, 6:30pm

when I have had the modal error, changing the theme to another (or nothing) and then back works .
I dont think it has anything to do with the rest, but maybe worth a try.

Did you 'use' the site with http before ? (cached, maybe ?)

I dont know rewriting rules too well, but I have a working one with apache like this:
RewriteRule ^/(.*)$ http://127.0.0.1:8080/VirtualHostBase/https/www.mysite.com:443/plonesite/VirtualHostRoot/$1 [P,L]

dieter · September 5, 2016, 6:44pm

I do not know.

As you are using different Plone versions for the two sites, a bug might have slipped in: I can imagine that the Plone tests are not complete for "HTTPS" access.

Caching or a form of compilation (e.g. bundling) might be the cause. In this case, the result would depend on the protocol used in the initial access/for the compilation - which might have been "https" in the working site and "http" in the other.

hvelarde · September 5, 2016, 9:48pm

you're missing a second rewrite for the virtual host definition as stated in the documentation; something like this:

RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [P,L]

rewrite is a two-way process and your original rule is only rewriting after you visit the site: let's say you page contains an internal resource at http://lwhsboosters.org/++plone++production/++unique++2016-08-31T18:37:39.751521/default.css; then you need to guarantee that anybody asking for that resource will use HTTPS instead of HTTP; that's what you get with the rule you had.

with the rule I pasted above, Apache will rewrite all links that point to http://lwhsboosters.org to https://lwhsboosters.org before sending that page to the client, so the security warnings will never show up.

BTW, you should try nginx unless you have a good reason to use good-old Apache.

more information here:

Mixed content causing ssl issue

RewriteEngine On RewriteCond %{HTTP:X-Forwarded-SSL} !on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]