Page MenuHomePhabricator

Insecure stylesheets and scripts loaded over secure connection
Closed, ResolvedPublic

Description

System is Debian 8 with standard versions of NGINX, php5-fpm, MariaDB.

phabricator 8af29f2df1a176a6f597a4ac14a4b6ca40efbe66 (Thu, Sep 29)
arcanist 483e985d08d279816708a9e755de8e5c3586d3ba (Wed, Sep 21)
phutil 19ef6e504d2679b242b9e895868dd803983b622a (Thu, Sep 29)

I installed over a secure connection (with a Let's Encrypt certificate).
Other sites on the same server are working fine, so I don't think it is relevant, but we have a 1:1 NAT configuration (we are reachable on a public IP (that I used to install), but our VPS sees a private IP on its NIC).

Upon finishing the installation (Welcome to Phabricator), I was notified of the following insecure resources being loaded:
/res/defaultX/phabricator/55d32e63/core.pkg.css
/res/defaultX/phabricator/9402e1af/conpherence.pkg.css
/res/defaultX/phabricator/3010e992/rsrc/externals/javelin/core/init.js
/res/defaultX/phabricator/32939240/core.pkg.js

Accepting to load those over plain HTTP, I created the admin user and was shown this warning on the homepage (and all subsequent pages):

Phabricator thinks you are using HTTP, but your client is conviced that it is using HTTPS. This is a serious misconfiguration with subtle, but significant, consequences. See Documentation

I can't make anything of that linked documentation, right now (it's late here). Any leads? TIA

Event Timeline

born2webdesign renamed this task from Insecure stylesheets and scripts loaded over secure connection (at least on install) to Insecure stylesheets and scripts loaded over secure connection.Sep 30 2016, 1:26 AM
born2webdesign created this task.

You got linked to https://secure.phabricator.com/book/phabricator/article/configuring_preamble/, right?

Did you read the section of that page titled "Adjusting SSL"?

@chad Yes, it ist ;)
@asherkin Thanks, yes that is the doc I was linked to, and indeed, putting the following in the preamble solved it:

$_SERVER['HTTPS'] = true;

Sorry, I said it was late ;)
However, I don't consider this a special installation (and other apps on the server don't show such behaviour), so I find it kind of "interesting" that I have to resort to such measures?
Thanks

@born2webdesign Unfortunately nothing about this ticket says "bug report", as in I see nothing about an issue with Phabricator that can be resolved by the upstream. Installation in unique environments can be tricky, but we expect you to resolve these issues on your own or use Ponder here to ask for help from the community. What you're asking falls outside of what we classify as "free support".

chad claimed this task.

Sounds like everything resolved as expected though!