Bug: Setting url: to https in config.js causes a redirect loop

[xtceed]

Issue Summary

Creating a blog which only uses https requires that the links generated by blog.url to be https however I am not able to set this in config.js

If I enter the url: to my blog in config.js as http, then all of my internal links point to http causing users and search engines to get redirected unnecessarily.

Steps to Reproduce

Apache/2.2.22 (Debian) using the following options
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://example.com$1 [R=301,L]
ProxyRequests off
ProxyPass / http://127.0.0.1:2368/
ProxyPassReverse / http:/127.0.0.1:2368/

Ghost is running as http but needs to be able to write blog.url as whatever the user wants to specify.

Technical details

• Ghost Version: 0.4.2
• Client OS: Win 7
• Server OS: Debian 7.5
• Node Version: v0.10.28
• Browser: Chrome
• Database: sqlite3

[halfdan]

What is the setting in config.js for url? Did you try setting it to url: 'https://example.com'?

[xtceed]

Right now its http to work, but when I set it to https that's when I get the problem.

[sebgie]

Hello @xtceed and welcome to Ghost.

Ghost is able do what you are trying to achieve but the Apache configuration doesn't seem correct to me. As @halfdan pointed out the url:https://example.com setting does what you are asking for because it'll enforce https for all traffic and output the correct links. Ghost uses the X-Forwarded-Proto header to determine your protocol and therefore it has to be passed from the proxy. This header is missing from the config example above. When it comes to configuring your proxy the forum is probably a better place to ask for instructions as there are more people with Apache experience than you will find here.

[ErisDS]

Going to close this until there is some evidence that it is a bug rather than a configuration/environment issue.

[bravius]

Also got the redirection loop of death when setting the url in config.js to https.... was attempting to proxy Ghost into an existing application. Fixed it by adding the request header 'X-Forwarded-Proto' = 'https'; Thanks to sebgie for the heads-up.

[xtceed]

Bravius could you give an example of what you mean? Thanks.

[jcjones]

xtceed: On Nginx I added proxy_set_header X-Forwarded-Proto https; to my site configuration, such that it reads:

server {
        listen                          443 ssl spdy;

        location / {
            proxy_pass              http://localhost:8080;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_set_header        Host $http_host;
            proxy_intercept_errors  on;
        }
}

This stopped the 302 redirect loop on my HTTPS-only blog at https://tacticalsecret.com/

[dustinmatlock]

I can confirm this happens on a DigitalOcean Ghost app install. @ErisDS could you possibly provide the correct settings to fix this? Here's what I have now.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name my-ghost-blog.com; # Replace with your domain

    root /usr/share/nginx/html;
    index index.html index.htm;

    client_max_body_size 10G;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    } 
}

[ErisDS]

@dustinmatlock Please use the forum for support questions, thanks!

[HLFH]

I added proxy_set_header X-Forwarded-Proto https; entry on my ghost.conf (powered by Nginx). Thanks @jcjones ! It's solved now.

[MostDev]

I am having the same issue with my Ghost blog on Azure websites (IIS). When i change the config.js url to https from http it causes a redirect loop.

[dustinmatlock]

You can set the blog to http in config.js and redirect to https. I'm not sure if it's a configuration issue, but it happens on DigitalOcean. This is how I solved the problem. CloudFlare has an easy way to setup redirects, or use the Nginx solution above.

[davidmyersdev]

Adding the line proxy_set_header X-Forwarded-Proto $scheme; worked like a charm!

[esfoobar]

I can confirm I had the redirect loop and with proxy_set_header X-Forwarded-Proto $scheme; on my nginx virtual conf it now works.

[dustinmatlock]

@jorge-3, would you know how to make this work on a DO droplet? Ubuntu 14.04. Thanks!

[davidmyersdev]

@dustinmatlock, are you using Apache or Nginx?

[dustinmatlock]

@drmyersii, it's Nginx, thanks.

[esfoobar]

@dustinmatlock sorry, haven't worked with Digital Ocean. But if you're using nginx, the config that I'm using is similar to what you posted.

Here's what I have:

server {
    listen       443;
    server_name  jorge3.com;

    ssl                  on;
    ssl_certificate      ssl/jorge3_com.crt;
    ssl_certificate_key  ssl/jorge3.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    access_log /var/log/nginx/jorge3.access.log;
    error_log /var/log/nginx/jorge3.error.log;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # 2 lines below are to avoid Ghost https redirect bug
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

The blog is live at https://jorge3.com

[randunel]

Redirect loop confirmed on openshift. Reverting the protocol from https to http in config stopped the loop.

Version 0.6.3

[randunel]

@ErisDS this is a bug, not a configuration issue. Same thing happened in digitalocean.

[smereczynski]

@MostDev if You want to enable native https in Ghost on Azure You must enable X-Forwarded-Proto for iisnode. There is an directive You must put into /site/wwwroot/iisnode.yml:

enableXFF: true

and remove all https redirection rules from web.config. Next change the configuration of Ghost in config.js:

production: {
        url: 'https://someaddress.azurewebsites.net',

        mail: {
            transport: 'SMTP',
            options: {
                service: 'SendGrid',
                auth: {
                    user: 'user',
                    pass: 'pass'
                }
            }
        },
        database: {
            client: 'sqlite3',
            connection: {
                filename: path.join(__dirname, '/content/data/ghost.db')
            },
            debug: false
        },
        server: {
            // Host to be passed to node's `net.Server#listen()`
            host: '127.0.0.1',
            // Port to be passed to node's `net.Server#listen()`, for iisnode set this to `process.env.PORT`
            port: process.env.PORT
        },
        forceAdminSSL: true
    },

Change to https in url if You want to have whole website with https or forceAdminSSL: true if You want just admin panel with https.

For Azure users there is a dedicated repository from which the Marketplace app is forked time to time: https://github.com/felixrieseberg/Ghost-Azure

[mlvea]

When generating static sites. (For example- with buster) How should I deal with https.

[mattferderer]

I can confirm that this fixed this issue for me as well. I was running this with Docker & Nginx. Changing the config in Ghost to https caused a redirect loop. Adding proxy_set_header X-Forwarded-Proto https; fixed that.

[gabrielepmattia]

For those who are using apache, this is a sample working configuration to avoid the loop redirect

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"

    ServerName ghost.example.com:443

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /home/user/.ssl/certificate.pem
    SSLCertificateKeyFile /home/user/.ssl/private_key.key

    <Location "/">
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:2368/
        ProxyPassReverse http://127.0.0.1:2368/
    </Location>
</VirtualHost>

[love2dishtech]

Thanks @gabrielepmattia This solved it for Apache.

[glcheetham]

Newcomers, using the droplet image on digital ocean, check cloudflare configuration before messing with the nginx conf.

The correct configuration for cloudflare is to select Full (strict) in SSL settings and Disable Universal SSL (at the bottom of the page)

Once I disabled universal SSL and set my configuration to Full (strict) ghost was able to redirect the site to https:// every time without fault

If you need to reset your nginx configuration to the default, delete your domains configuration in /etc/nginx/sites-available and /etc/nginx/sites-enabled and rerun ghost setup nginx 👍

[jillesme]

I had the same issue, doing what @glcheetham suggested fixed it!

[ma-karai]

Any ideas how to accomplish that with an haproxy?

[vinyll]

I've have an instance in an LXC container with Nginx as front proxy while proxy_set_header X-Forwarded-Proto https; is present.
While it works for other services I've been struggling with this issue for 2 evenings and finally solved.

in config.production.json, I just had to remove the s of https in my url:
"url": "https://read.anonym.dev/", -> "url": "http://read.anonym.dev/"

This stopped looping nginx redirections 🎉

[alst-ovh]

This solve the Problem for me:

Enable Header:
a2enmod headers

Add to the Apache site config:

Without this, ghost infinitely redirects:

RequestHeader set "X-Forwarded-Proto" "https"
ProxyPreserveHost Off
ProxyPass / http://localhost:2368/
ProxyPassReverse / http://localhost:2368/

Look at: https://blog.schenck.online/ghost-with-apache-and-https/

[ErisDS]

If you receive a redirect loop after setting your URL to HTTPS, it means your proxy is misconfigured and is telling Ghost the requests are HTTP. Ghost is then correctly redirecting to HTTPS.

Ghost is setup to receive and correctly handle proxy headers, including X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-For. If your proxy is misconfigured and sends the wrong headers, you will end up in a redirect loop.

If you aren't using Ghost CLI and are configuring your proxy yourself, then there are several excellent sources of information available to you:

• The first is to use the nginx templates inside Ghost CLI as reference material: https://github.com/TryGhost/Ghost-CLI/tree/master/extensions/nginx/templates
• The second is our documentation on reverse proxying for Pro, which has several example configurations and explains what different headers do.
• Google the correct configuration for an HTTPS reverse proxy config for whatever tool you are using

If all that fails, we have https://forum.ghost.org where you can request support with configuring your proxy.