SSL and app cache problem about docker-mautic HOT 14 CLOSED

adding this in index.php solve this issue
$_SERVER['HTTPS'] = 'on';

from docker-mautic.

I ran into similar problems and have narrowed down the issue to this

No issue if I keep it like this.

cat app/config/local.php |grep site
'site_url' => 'http://domain.com',

301 redirect loop if I edit config like this.

cat app/config/local.php |grep site
'site_url' => 'https://domain.com',

from docker-mautic.

Sorry for reopening this, but any have resolved the issue ????
We run behind a firewall/load balancer that handles the https request and sends to the container but need to configure mautic to recognize the https termination.

any help is appreciated

best

from docker-mautic.

Hello,
please look at mautic ssl configuration example in this repository. Especially at the nginx configuration file: https://github.com/mautic/docker-mautic/blob/master/examples/mautic-example-nginx-ssl/nginx.conf

Try to update your configuration to match it. If it doesn't help please post your nginx config.

from docker-mautic.

Hi Gregy,
thank you for your very fast reply.

Thank you for the tip with the example, I had a look. I'm using a dynamic generation of the nginx.conf like https://github.com/jwilder/nginx-proxy.

So the nginx.conf looks like this:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    server_names_hash_bucket_size 128;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
daemon off;

And the default.conf used for mautic looks like this:

map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 80;
	access_log /var/log/nginx/access.log vhost;
	return 503;
}

upstream sub.domain.org {
			server 172.19.0.13:80;
}
server {
	server_name sub.domain.org;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name sub.domain.org;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_certificate /etc/nginx/certs/cnfg.io.crt;
	ssl_certificate_key /etc/nginx/certs/cnfg.io.key;
	add_header Strict-Transport-Security "max-age=31536000";
	location / {
		proxy_pass http://sub.domain.org;
	}
}

}

Maybe Mautic Apache expects the traffic to be via https/443 if using SSL. At the moment it is reaching it at standard http port 80.

Thank you very much in advance.

from docker-mautic.

As I said. Read the example configuration file. I think you are missing some directives in yours.

from docker-mautic.

@mko-x did you ever find a fix for your problem? I have the exact same issue as you.

from docker-mautic.

Hi @gauravarora,

first - regretfully: No.

Depending on your needs you should have a look to alternatives to actual great Mautic at this point.
I tried to create a fork and update the link generation to create protocol independent links, but this was not possible easily. As I work for a big company and explored Mautic as Salesforce alternative, I have no time for fixing bugs like this.

So I was not able to use Mautic behind a ssl reverse proxy in a cluster without proper custom modification of the delivery with nginx out of the box.

Looks like there is no interest in fixing this bug.

If you ever find a fix or have any updates please contact me.

from docker-mautic.

As I said before. This is not a bug. Your reverse proxy configuration lacked the required directives (proxy_redirect). @gauravarora This scenario (mautic behind nginx ssl proxy) works fine if you use the example nginx configuration file.

from docker-mautic.

I'm just saying that Mautic formular link generation results in different types of links - hardcoded protocol links like (http://) and independent ones (//). That is inconsistent and it would work like charme if it would be consistent - without nginx config modifications. Not everybody can modify the configuration there easily.

from docker-mautic.

I don’t know if this helps with your situation but just fixed it for mine

#7

Running Docker Mautic behind a reverse proxy needed the trusted proxies otherwise you get the avatar.png coming up as insecure.

from docker-mautic.

Okay turn out that actually didn’t fix it for me :( only looked like it had worked because the avatar.png had not loaded after I had change those things but reverted back.
But there is definitely something wrong with the avatar setup I had mautic setup not on docker but the system and in that case had other issues where the avatar wouldn’t load at all, but had solid https green lock

from docker-mautic.

Turns out that unless you create an account with wordpress and create a gravatar, which when you put in your email as admin to link it, you will be stuck with mautic importing the http avatar image from the files causing the website to complain that not all things on the page are https. Thought this was related to this thread but turns out it isn’t.

from docker-mautic.

@ka4a commented on June 7, 2019 1:48 PM:

adding this in index.php solve this issue
$_SERVER['HTTPS'] = 'on';

Interesting - it has been suggested that this kind of approach can also fix mautic/mautic#7577.

from docker-mautic.