Login-button unsecured

Installation
1

Yesterday, I’ve been installing Discourse behind an Apache reverse proxy. Apache is mostly managed via a self-service-GUI that can also be used to activate Let’s encrypt-certs and proxy-configuration. Additionaly this GUI takes care, that LE-certs don’t expire. Having said this I want to rule out that I’ve been configuring Discourse without SSL/LE-template; internally I’m using port 10080. Works so far.

However, I discovered there’s an option in Discourse’s config to activate https globally. So I enabled it. This seems to work fine but as I noticed, login-Button is still http (instead auf https). Indeed Discourse indicates this by an unlocked-symbol.

So my question: what do I need to do in order to persuade Discourse to make it https?
Thanks in advance.

2

If you haven’t done so already, try enabling the Discourse force https site setting. That setting is found in the Security section of your site settings pages.

3

Thanks for your answer.
This option is already enabled. So seems to be anything else.

1 Like
4

Can you please share your reverse proxy config?

(And I think that the answer will be (again…) X-Forwarded-Proto).

3 Likes
5

Sure :slight_smile:

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port 80
ProxyPreserveHost Off
ProxyPassMatch "^/((?!(?:errors|\.well-known)/acme-challenge/).*)" "http://localhost:10080/$1" retry=30 timeout=7200
ProxyPassReverse "/" "http://localhost:10080/"
6

Problem is solved. It’s working.
As it seems unlocked-symbol doesn’t mean it’s unlocked.