We're really stuck here on how to resolve this. We recently migrated to a new server. We have SSL installed correctly. Switching themes doesn't resolve the issue. However, this is what our site looks like in https://
Okay to clarify it broke the ability to create and send conversation responses, however it allows you to post and create thread conversations and post replies.
We inspected and fixed this issue for @Wesker. These were the components involved in his server setup:
Cloudflare
Nginx
Apache
For the sake of understanding, I'm going to skip cloudflare part in this thread and will surely write detail solution in another thread soon but the rest of the details are provided below:
The problem:
Nginx is being used as reverse proxy to apache on this server. So with every request Apache was depended on Nginx to get header information. Most of the headers were doing pretty good but specifically "HTTPS" header was not being transferred properly to Apache.
This was going to be very simple thing to solve or do if we just want to use one protocol (secure or non-secure) but in current case both protocols were required to work properly.
Solution:
If you're involved in this kind of server setup, you might know that non-static file requests from NGINX server transferred back to Apache using proxy_pass.
Code:
proxy_pass http://127.0.0.1:8000
While Apache got different ports for simple & https requests e.g: 8000 & 8001 respectively the problematic NGINX config was sending all requests to non-secure port. That deceived Apache to think that all incoming requests are coming over non-secure protocol. So rather then using single Server block in nginx configuration for both SSL & non-SSL requests we simply separated those config blocks and resolved them on right ports.
Now when request reach to Apache web server it can easily identify between http and non-https requests.
Based on above things here is answer to 2 different situations and problems those were raised in this thread:
1- CSS (& JS) were broken?
Yes, it was simply broken because https requests were never reaching apache from nginx and HTTPS server header was set to NULL, it deceived XF to show non-secure content (without https) even with https request URL.
2- Things seems to be working with $_SERVER['HTTPS'] but some functionality was not broken i.e conversations
I think this problem is what forced me to write this post. I seen that there are many threads recommending users to use $_SERVER['HTTPS'] in config file which is not a proper solution and should be avoided where possible
Anyway, once this variable was placed in config file the XF was always told to load secure url content even if the requested protocol was non-secure url. So even if you load forum without https, it loads secure url for static files because its forced to do so.
This raised Cross-Domain Request (CORS) warnings for doing ajax requests.
Conclusion:
This applies to all proxy based setups and I think if you just make sure the right request and information is reaching at right place the things should be working as expected.