Discourse not aware of SSL termination (mixed content)

Site is at https://forum.practical-pl.org.

If you go there now, you will get a “mixed content” warning from your browser. That’s because the docker is listening on a Unix domain socket, and an NGINX front end is redirecting traffic to it. This redirection also includes the SSL termination (i.e. - the certificates are installed at the reverse proxy, not the discourse client itself).

As a result, any absolute URL that discourse generates is an HTTP URL rather than HTTPS. Most notably, this includes the site’s icons and the activation links sent to new users.

How do I tell discourse to generate https links?

Thank you,
Shachar

The force_https setting will fix this, it’s mandatory in any scenario where HTTPS is being used.

4 Likes

Except, as far as I can tell, it is on, and the problem persists.

Do I need to regenerate the docker after setting it?

Can you elaborate on this?

I found it after finishing installation (technically, the installation directed me to turn it on). Turned it on.

The test email I send does, indeed, now have an HTTPS address, but merely navigating to the site still show the site icons as HTTP, and thus the mixed contents warning still shows.

Now, this might be because I did not update the icons, but I don’t have icons to put there just yet. Even so, I don’t understand why it should be like that.

Also, I tried turning it off and on again (ha!), but that didn’t solve the problem either.

Try re-uploading an icon/logo which currently reports as insecure.

4 Likes

Yes, I just uploaded the same icon it uses right now (the default Discourse icon), and the problem is now resolved.

Thank you, though if I might make a suggestion, the page on how to install really should be updated. It should mention force_https, as well as that it might be necessary to re-upload the images.

I was working through the same issue with discourse fronted by haproxy doing ssl termination.
I checked Force Https, and still had the mixed content warnings (e.g. on favicon).
But when I uploaded a logo, all the warnings went away - including for favicon which I had not changed.
So maybe it re-calculates the URLs for every image when you upload any image (at least for the based system images…)?

1 Like