Php – SSL with HAProxy

haproxyjoomlaPHPreverse-proxyssl

Having a strange problem with Haproxy. I'm using it to frontend SSL connections to a few Joomla sites and the sites don't appear to be picking up on the https front end which is leading to javascript errors.

The relevant sections in my haproxy config:

frontend http-in
    bind *:80
acl is_abc hdr_end(host) -i abc.com

use_backend abc if is_abc

frontend https-in
bind :443 ssl crt certificate.pem crt /var/certs/servers
reqadd Front-End-Https:\ On
reqadd X-Forwarded-Proto:\ https
acl is_abc hdr_end(host) -i abc.com

use_backend abc if is_abc

backend abc
    server server1 127.0.0.1:3005 maxconn 256

The errors:

[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?widgetkit-78a9e32a-f1c60388.css.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/modules/mod_improved_ajax_login/cache/104/4d0e5494cd3301a33bf43f728df81fa4.css.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?jquery.min-76ad7381.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?jquery-noconflict-34838beb.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?widgetkit-2dd271e3-966774a7.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?mootools-core-9fef18a6.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?core-aac38065.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?mootools-more-02252ddc.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?template-b04b0958.css.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?template-2188c767.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/templates/yoo_showroom/warp/js/search.js.
 /:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?widgetkit-78a9e32a-f1c60388.css.
 abc.com:16
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/modules/mod_improved_ajax_login/cache/104/4d0e5494cd3301a33bf43f728df81fa4.css.
 abc.com:17
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?jquery.min-76ad7381.js.
 abc.com:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?jquery-noconflict-34838beb.js.
 abc.com:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?widgetkit-2dd271e3-966774a7.js.
 abc.com:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?mootools-core-9fef18a6.js.
 abc.com:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?core-aac38065.js.
 abc.com:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?mootools-more-02252ddc.js.
 abc.com:1
Uncaught TypeError: Object [object global] has no method 'addEvent' abc.com:25
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?template-b04b0958.css.
 abc.com:39
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/cache/template/gzip.php?template-2188c767.js.
 abc.com:1
[blocked] The page at https//abc.com/ ran insecure content from http//abc.com/templates/yoo_showroom/warp/js/search.js.
 abc.com:1
Uncaught ReferenceError: jQuery is not defined abc.com:68
The page at https//abc.com/ displayed insecure content from http//abc.com/modules/mod_improved_ajax_login/themes/elegant/images/arrow.png.
 abc.com:84
The page at https//abc.com/ displayed insecure content from http//abc.com/modules/mod_improved_ajax_login/themes/elegant/images/arrow.png.
 abc.com:89
The page at https//abc.com/ displayed insecure content from http//abc.com/modules/mod_improved_ajax_login/themes/elegant/images/x.png.
 abc.com:100
The page at https//abc.com/ displayed insecure content from http//abc.com/modules/mod_improved_ajax_login/themes/elegant/images/refresh.png.
 abc.com:183
The page at https//abc.com/ displayed insecure content from http//abc.com/images/yootheme/demo/slideshow/slide1.jpg.
 abc.com:229
The page at https//abc.com/ displayed insecure content from http//abc.com/cache/widgetkit/gallery/19/R0010073-1e7e167369.jpg.

Best Answer

after taking a look at the headers being passed to the application and then finding the joomla library that deals with them, the following fix worked.

Added a check for the 'Front-End-Https' request header in the libraries/joomla/uri/uri.php file:

changed:

                            if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off'))
                            {
                                    $https = 's://';
                            }
                            else
                            {
                                    $https = '://';
                            }

to:

                            if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off'))
                            {
                                    $https = 's://';
                            }
                            elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && !empty($_SERVER['HTTP_FRONT_END_HTTPS']) && (strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on'))

                            {

                                    $https = 's://';
                            }
                            else
                            {
                                    $https = '://';
                            }

Related Solutions

Nginx – Nginx and PHP-FPM 403 Forbidden

I'm going to presume you've given enough information and not left out anything important in the nginx configuration information you chose not to share.

With that caveat in mind...

It appears that you are passing everything under /extras/ to PHP, including requests for static data. This is rightly being denied, as it means a malicious PHP script uploaded with a .jpg extension (for instance) will not be executed as PHP.

To resolve this issue, you need to pass only requests for PHP scripts under /extras/ to PHP.

location ~ /extras/.*\.php$ {

If you need to handle static files under that directory specially, then you can make a location block for them. (You probably should do this, since you seem to be passing everything else to Django...)

location /extras/ { }

Another issue you have which is probably causing you grief is that your server block does not have a valid root defined. This is one of the most common nginx misconfigurations. It should be something like:

root /var/www/my_server;

(Which also means you should not define redundant roots in every single location.)

Nginx wordpress ssl mixed content

You need to move your Wordpress site entirely to SSL otherwise you'll keep getting these messages. Wordpress and plugins simply use the URL you set in the configuration, which is why the mixed protocols message. Simply redirect from http to https

# Redirect all variations to https://www domain
server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://www.example.com$request_uri;
}

Your SSL config looks strange. Where you say

server_name mysite.co.uk www.mysite.co.uk;
listen 81.4.121.xxx:443 ssl;
ssl on;

I would use

server_name mysite.co.uk www.mysite.co.uk;
listen 443 ssl http2; # NB http2 requires a recent version of nginx

# Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

# This is a cache for SSL connections
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 60m;

Best Answer

Related Solutions

Nginx – Nginx and PHP-FPM 403 Forbidden

Nginx wordpress ssl mixed content

Related Topic