PLONE 4 transition to ssl site creates problems with internal document/image selection in a page dexterity type

Plone Support
,
1

PLONE version 4.3.18
A transition to ssl enabled site creates problems with internal document/image selection in a page dexterity type.

Hi, I have a multilingual site zelem.org.il in Plone 4.3.8 and wish to keep it that version .

after a transition to SSL SERTIFICATE SECURED site a problem arised in selection of internal LINKS / ITEMS such as documents AND IMAGES. SELECTION OF UPLOADS & LINKS TO THIS PAGE AS SHOWN ON VIDEO IS IMPOSSIBLE ??????

Created a testing site especially for that purpose:

This is video to show the problem in a testing site

My hosting provider doesnt really understands why this happens except that it could be related switching to SSL on plone

2

Hi, thanks for posting your question here. What do you mean by a transition to SSL? How was that done?

3

Hello, thanks for reply.
IT WAS DONE BY HOSTING PROVIDER, by installing a security setificate, that I purchased from them.

4

Please, open the browser developer console and check for errors.
Check if there are "mixed http and https content" errors, this will stop javascript execution.

5

Can you check your webserver config? Perhaps a wrong redirect rule to your Plone Instance .

6

When you set up SSL, you also have to adjust the web server configuration so it rewrites incoming https requests. It sounds like that might be the problem. Could you share the nginx or Apache configuration here?

7

The main site is https://www.zelem.org.il
and the problem is Zope instance wide.
and yes there are errors in inspection of the site.
such as:

resourceplone.app.jquery-cachekey-3c17197956834d4754ba29a64edc6069.js:14 Mixed Content: The page at 'https://zelem.org.il//My/TEST1Site/en/selection-of-uploads-to-this-page-is-impossible/edit' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://zelem.org.il//My/TEST1Site/en/mylittleponyPrincessCelestiaroyal4001089.jpg/tinymce-jsondetails'. This request has been blocked; the content must be served over HTTPS.
send @

8

I dont think if I have an option to view nginx configuration but
here

htaccess.txt :

#<Files ~ (\.php)>
#    Options +FollowSymLinks
#</Files>
Access-Control-Allow-Origin: *
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

DirectoryIndex Zland front-page 
RewriteEngine On
#RewriteRule ^(.*)$ https://127.0.0.1:15045/VirtualHostBase/https/%{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]
RewriteRule ^(.*)$ https://127.0.0.1:15045/VirtualHostBase/https/%{HTTP_HOST}:80/ZeLem/VirtualHostRoot/$1 [L,P]

#RedirectRule / https://www.zelem.org.il/
#RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule !^/Zland(/?|/.+)$ /Zland%{REQUEST_URI} [L]

on top of that there is A TINYMICE PROBLEM not showing it`s TOOLBAR ,and green bar menus open a new page instead of dropping submenus

No Sub-Menus at green plone bar - as part of the larger problem began with turning SSL 'ON'

9

I would replace the first https (https://127.0.0.1) with http. I don't think you've zope answering in https. Then you've also to change 80 to 443 in https/%{HTTP_HOST}:80

10

change port to 443

RewriteRule ^(.)$ http://127.0.0.1:15045/VirtualHostBase/https/%{HTTPS_HOST}:443/ZeLem/VirtualHostRoot/$1 [L,P]
1 Like
11

THEY USE NGINX FOR REDIRECTING. Where is the configuration file located?
Also 15045 is an additional port, not the main .

12

in /etc/nginx/sites-available or as a symlink in /etc/nginx/sites-enabled

https://4.docs.plone.org/manage/deploying/front-end/nginx.html

13

Where did you get the configuration file you shared above? (also curious: it shouldn't be called htaccess.txt)

How was this set up in the first place?

14

SORRY I just called it wrong. It is here: ~/www/zelem.org.il/.htaccess
at ISPmanager panel

15

Hi, looks like somewhat different story here, here is the 'etc' directory of the shared hosting virtual space: (CAN YOU SUGGEST WHERE IS NGINX conffiguration ???)
-bash-4.2$
-bash-4.2$ cd /
-bash-4.2$ ls
bin dev etc home lib lib64 opt proc root run sbin tmp usr var
-bash-4.2$ cd etc
-bash-4.2$ ls
DIR_COLORS cl.php.d inputrc nsswitch.conf resolv.conf ssh
DIR_COLORS.256color cl.python ld.so.cache odbcinst.ini rpc ssl
DIR_COLORS.lightbgcolor cl.selector ld.so.conf openldap rpm sysconfig
ImageMagick-6 default ld.so.conf.d pam.d rsyncd.conf trusted-key.key
aliases environment localtime passwd sasl2 vimrc
aliases.db fonts mail php.d scl virc
alternatives gcrypt mail.rc php.ini screenrc webalizer
at.deny ghostscript mailcap pki security webanalyzer.d
awstats group mc postfix services wgetrc
bash_completion.d host.conf mime.types profile shadow
bashrc hosts my.cnf profile.d skel
cl.nodejs httpd my.cnf.d protocols snmp
-bash-4.2$

I CAN'T FIND THE "nginx/sites-available" anywhere even by : find / -type d -iname "sites-available" -ls
unfortunatly lots of the directories are protected

-bash-4.2$ cat /proc/version
Linux version 3.10.0-962.3.2.lve1.5.64.el7.x86_64 (mockbuild@192-168-246-187.atm.cloudlinux.
com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Wed Dec 8 10:23:00 UTC 20
21

ANY STRONG THOUGHTS???

16

It might not be nginx; it might be Apache and it looks that way, according to this Apache mod_rewrite Introduction - Apache HTTP Server Version 2.4 (that explains why your rewrite rules are in a .htaccess file and not in the "normal" place we would expect, which would be something like /etc/httpd/httpd.conf

This page explains how to configure Apache to serve Plone: Apache — Plone Documentation v4.3

At the very end of that section, it explains what you need to change to serve using SSL (https):

modify the rewrite rule from:

RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/yoursite.com:80/Plone/VirtualHostRoot/$1 [P,L]

to:

RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/yoursite.com:443/Plone/VirtualHostRoot/$1 [P,L]

inside an SSL-enabled Apache virtual host definition.

In that example, 8080 is the port that Plone listens on, so it looks like in your case that would be 15045. In the example, yoursite.com is what you have as %{HTTP_HOST}. In your file though you should not have :80 but :443

17

By My request hosting provider could do nothing but suggest turning off browser blocking insecure content, and I get this unselectables for uploaded content, and only EXISTING pages are selectable . From the screenshot we can see an existing-WORKING SSL sertificate but also ERRORS on a mixed content that my browser is TRYING TO ALLOW :
Which means the company is not doing its job for applying RIGHT SETTINGS for SSL.
IS IT?
Please Please help me do that

MixedContentUnselectable2023-11-23
MixedContentUnselectable2023-11-231362×760 177 KB

insecureMixedContent2023-11-21
insecureMixedContent2023-11-211366×755 168 KB

18

In the last screenshot you can see that some requests are redirected from https://zelem.org.il:15046 to http://zelem.org.il:15045
as @yurj commented, I suggest you changing this rewrite rule from

RewriteRule ^(.*)$ https://127.0.0.1:15045/VirtualHostBase/https/%{HTTP_HOST}:80/ZeLem/VirtualHostRoot/$1 [L,P]

to

RewriteRule ^(.*)$ http://127.0.0.1:15045/VirtualHostBase/https/%{HTTP_HOST}:443/ZeLem/VirtualHostRoot/$1 [L,P]

take note of changes in the https://127.0.xxx to http..

You also can tell to your hosting supplier about the unsecure redirection.

Rafa

19

earlier I tested what T. Kim Nguyen suggested to do .

and the problem continues probably because it is nginx not apachee that they use

It is:

:I changed to this:

#<Files ~ (.php)>

Options +FollowSymLinks

#
Access-Control-Allow-Origin: *
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

DirectoryIndex Zland front-page
RewriteEngine On
#RewriteRule ^(.)$ http://127.0.0.1:15045/VirtualHostBase/https/%{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [L,P]
RewriteRule ^(.)$ http://127.0.0.1:15045/VirtualHostBase/https/%{HTTP_HOST}:443/ZeLem/VirtualHostRoot/$1 [L,P]

#RedirectRule / https://www.zelem.org.il/
#RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule !^/Zland(/?|/.+)$ /Zland%{REQUEST_URI} [L]

And The screens:

Plone is up and runnig (in TEXT MODE)
You have multiple Plone sites:
The Messianic Witness Fellowship (ZeLemu)
(ZeLem)
Site (Plone1)
Zope Management Interface — low-level technical configuration.

plone.org

https://zelem.org.il:15045/manage_main

This site can’t provide a secure connection zelem.org.il sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

After my begging to fix all this they did redirect from15045 to 15046 and set up SSL ON 15046 FOR CONSOLE ACCESS. And main site for anonimouus users is just the domain zelem.org.il
And at the testing site the problem stays the same:

as shown on that video in google drive and the FRESH screenshots AS IT IS WORKING BUT WITH ERORS if browser allows insecure content.