XF 1.3 SSL HTTPS Issues - Broken CSS

Wesker

Well-known member
We're really stuck here on how to resolve this. We recently migrated to a new server. We have SSL installed correctly. Switching themes doesn't resolve the issue. However, this is what our site looks like in https://

kay29.gif


Any suggestions?
 
Okay working on this now as traffic has dropped significantly.

Indeed, we faced similar issues.. You must adjust the board to https too, not just http.;

https://your-site/admin.php?options/list/basicBoard
Board URL - httpS://your-domain.com/

That needs to be your full URL I would say with https

https://yoursite.com

When I make the change here, nothing happens. Same issue.

Try adding this
PHP:
$_SERVER["HTTPS"] = "on";
to config.php after
PHP:
<?php

This fixes the issue but breaks the ability to post and possibly more issues. Is there additional code I can add to config.php to fix this issue? I see @MattW also had problems with this similar to mine before: https://xenforo.com/community/threads/check-_server-in-config-php.61575/
 
What error are you getting exactly? Do you see any messages in browser console?

No server error logs. Nothing in browser console I know of. Will recheck though.

Basically it's deadlocked. Doesn't process the query. Similar to mySQL lock. Strange thing is it only happens when I POST, not creating a new topic.
 
We inspected and fixed this issue for @Wesker. These were the components involved in his server setup:
  • Cloudflare
  • Nginx
  • Apache
For the sake of understanding, I'm going to skip cloudflare part in this thread and will surely write detail solution in another thread soon but the rest of the details are provided below:

The problem:
Nginx is being used as reverse proxy to apache on this server. So with every request Apache was depended on Nginx to get header information. Most of the headers were doing pretty good but specifically "HTTPS" header was not being transferred properly to Apache.

This was going to be very simple thing to solve or do if we just want to use one protocol (secure or non-secure) but in current case both protocols were required to work properly.

Solution:
If you're involved in this kind of server setup, you might know that non-static file requests from NGINX server transferred back to Apache using proxy_pass.

Code:
proxy_pass http://127.0.0.1:8000

While Apache got different ports for simple & https requests e.g: 8000 & 8001 respectively the problematic NGINX config was sending all requests to non-secure port. That deceived Apache to think that all incoming requests are coming over non-secure protocol. So rather then using single Server block in nginx configuration for both SSL & non-SSL requests we simply separated those config blocks and resolved them on right ports.

server {
listen 80;
listen 443 ssl;

server_name mydomain.com www.mydomain.com;
ssl on;
ssl_certificate /etc/ssl/sslname/SSL.crt;
ssl_certificate_key /etc/ssl/sslname/ca.key;

proxy_pass http://127.0.0.1:8000/;
}

server {
listen 80;
server_name mydomain.com www.mydomain.com;
proxy_pass http://127.0.0.1:8080/;
}

server {
listen 443;
server_name mydomain.com www.mydomain.com;

ssl on;
ssl_certificate /etc/ssl/sslname/SSL.crt;
ssl_certificate_key /etc/ssl/sslname/ca.key;

proxy_pass https://127.0.0.1:8081/;

}

Now when request reach to Apache web server it can easily identify between http and non-https requests.

Based on above things here is answer to 2 different situations and problems those were raised in this thread:

1- CSS (& JS) were broken?
Yes, it was simply broken because https requests were never reaching apache from nginx and HTTPS server header was set to NULL, it deceived XF to show non-secure content (without https) even with https request URL.

2- Things seems to be working with $_SERVER['HTTPS'] but some functionality was not broken i.e conversations
I think this problem is what forced me to write this post. I seen that there are many threads recommending users to use $_SERVER['HTTPS'] in config file which is not a proper solution and should be avoided where possible

Anyway, once this variable was placed in config file the XF was always told to load secure url content even if the requested protocol was non-secure url. So even if you load forum without https, it loads secure url for static files because its forced to do so.

This raised Cross-Domain Request (CORS) warnings for doing ajax requests.

Conclusion:
This applies to all proxy based setups and I think if you just make sure the right request and information is reaching at right place the things should be working as expected.
 
Last edited:
Top Bottom