Login-button unsecured

Yesterday, I’ve been installing Discourse behind an Apache reverse proxy. Apache is mostly managed via a self-service-GUI that can also be used to activate Let’s encrypt-certs and proxy-configuration. Additionaly this GUI takes care, that LE-certs don’t expire. Having said this I want to rule out that I’ve been configuring Discourse without SSL/LE-template; internally I’m using port 10080. Works so far.

However, I discovered there’s an option in Discourse’s config to activate https globally. So I enabled it. This seems to work fine but as I noticed, login-Button is still http (instead auf https). Indeed Discourse indicates this by an unlocked-symbol.

So my question: what do I need to do in order to persuade Discourse to make it https?
Thanks in advance.

If you haven’t done so already, try enabling the Discourse force https site setting. That setting is found in the Security section of your site settings pages.

Thanks for your answer.
This option is already enabled. So seems to be anything else.

1 Like

Can you please share your reverse proxy config?

(And I think that the answer will be (again…) X-Forwarded-Proto).

3 Likes

Sure :slight_smile:

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port 80
ProxyPreserveHost Off
ProxyPassMatch "^/((?!(?:errors|\.well-known)/acme-challenge/).*)" "http://localhost:10080/$1" retry=30 timeout=7200
ProxyPassReverse "/" "http://localhost:10080/"

Problem is solved. It’s working.
As it seems unlocked-symbol doesn’t mean it’s unlocked.