New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Setting url: to https in config.js causes a redirect loop #2796

Closed
xtceed opened this Issue May 22, 2014 · 27 comments

Comments

Projects
None yet
@xtceed

xtceed commented May 22, 2014

Issue Summary

Creating a blog which only uses https requires that the links generated by blog.url to be https however I am not able to set this in config.js

If I enter the url: to my blog in config.js as http, then all of my internal links point to http causing users and search engines to get redirected unnecessarily.

Steps to Reproduce

Apache/2.2.22 (Debian) using the following options
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://example.com$1 [R=301,L]
ProxyRequests off
ProxyPass / http://127.0.0.1:2368/
ProxyPassReverse / http:/127.0.0.1:2368/

Ghost is running as http but needs to be able to write blog.url as whatever the user wants to specify.

Technical details

  • Ghost Version: 0.4.2
  • Client OS: Win 7
  • Server OS: Debian 7.5
  • Node Version: v0.10.28
  • Browser: Chrome
  • Database: sqlite3
@halfdan

This comment has been minimized.

Show comment
Hide comment
@halfdan

halfdan May 24, 2014

Member

What is the setting in config.js for url? Did you try setting it to url: 'https://example.com'?

Member

halfdan commented May 24, 2014

What is the setting in config.js for url? Did you try setting it to url: 'https://example.com'?

@xtceed

This comment has been minimized.

Show comment
Hide comment
@xtceed

xtceed May 24, 2014

Right now its http to work, but when I set it to https that's when I get the problem.

xtceed commented May 24, 2014

Right now its http to work, but when I set it to https that's when I get the problem.

@sebgie

This comment has been minimized.

Show comment
Hide comment
@sebgie

sebgie May 24, 2014

Contributor

Hello @xtceed and welcome to Ghost.

Ghost is able do what you are trying to achieve but the Apache configuration doesn't seem correct to me. As @halfdan pointed out the url:https://example.com setting does what you are asking for because it'll enforce https for all traffic and output the correct links. Ghost uses the X-Forwarded-Proto header to determine your protocol and therefore it has to be passed from the proxy. This header is missing from the config example above. When it comes to configuring your proxy the forum is probably a better place to ask for instructions as there are more people with Apache experience than you will find here.

Contributor

sebgie commented May 24, 2014

Hello @xtceed and welcome to Ghost.

Ghost is able do what you are trying to achieve but the Apache configuration doesn't seem correct to me. As @halfdan pointed out the url:https://example.com setting does what you are asking for because it'll enforce https for all traffic and output the correct links. Ghost uses the X-Forwarded-Proto header to determine your protocol and therefore it has to be passed from the proxy. This header is missing from the config example above. When it comes to configuring your proxy the forum is probably a better place to ask for instructions as there are more people with Apache experience than you will find here.

@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS May 24, 2014

Member

Going to close this until there is some evidence that it is a bug rather than a configuration/environment issue.

Member

ErisDS commented May 24, 2014

Going to close this until there is some evidence that it is a bug rather than a configuration/environment issue.

@ErisDS ErisDS closed this May 24, 2014

@bravius

This comment has been minimized.

Show comment
Hide comment
@bravius

bravius Jun 14, 2014

Also got the redirection loop of death when setting the url in config.js to https.... was attempting to proxy Ghost into an existing application. Fixed it by adding the request header 'X-Forwarded-Proto' = 'https'; Thanks to sebgie for the heads-up.

bravius commented Jun 14, 2014

Also got the redirection loop of death when setting the url in config.js to https.... was attempting to proxy Ghost into an existing application. Fixed it by adding the request header 'X-Forwarded-Proto' = 'https'; Thanks to sebgie for the heads-up.

@xtceed

This comment has been minimized.

Show comment
Hide comment
@xtceed

xtceed Jun 15, 2014

Bravius could you give an example of what you mean? Thanks.

xtceed commented Jun 15, 2014

Bravius could you give an example of what you mean? Thanks.

@jcjones

This comment has been minimized.

Show comment
Hide comment
@jcjones

jcjones Aug 12, 2014

xtceed: On Nginx I added proxy_set_header X-Forwarded-Proto https; to my site configuration, such that it reads:

server {
        listen                          443 ssl spdy;

        location / {
            proxy_pass              http://localhost:8080;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_set_header        Host $http_host;
            proxy_intercept_errors  on;
        }
}

This stopped the 302 redirect loop on my HTTPS-only blog at https://tacticalsecret.com/

jcjones commented Aug 12, 2014

xtceed: On Nginx I added proxy_set_header X-Forwarded-Proto https; to my site configuration, such that it reads:

server {
        listen                          443 ssl spdy;

        location / {
            proxy_pass              http://localhost:8080;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_set_header        Host $http_host;
            proxy_intercept_errors  on;
        }
}

This stopped the 302 redirect loop on my HTTPS-only blog at https://tacticalsecret.com/

@dustinmatlock

This comment has been minimized.

Show comment
Hide comment
@dustinmatlock

dustinmatlock Oct 14, 2014

I can confirm this happens on a DigitalOcean Ghost app install. @ErisDS could you possibly provide the correct settings to fix this? Here's what I have now.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name my-ghost-blog.com; # Replace with your domain

    root /usr/share/nginx/html;
    index index.html index.htm;

    client_max_body_size 10G;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    } 
}

dustinmatlock commented Oct 14, 2014

I can confirm this happens on a DigitalOcean Ghost app install. @ErisDS could you possibly provide the correct settings to fix this? Here's what I have now.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name my-ghost-blog.com; # Replace with your domain

    root /usr/share/nginx/html;
    index index.html index.htm;

    client_max_body_size 10G;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    } 
}
@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS Oct 14, 2014

Member

@dustinmatlock Please use the forum for support questions, thanks!

Member

ErisDS commented Oct 14, 2014

@dustinmatlock Please use the forum for support questions, thanks!

@HLFH

This comment has been minimized.

Show comment
Hide comment
@HLFH

HLFH Dec 4, 2014

I added proxy_set_header X-Forwarded-Proto https; entry on my ghost.conf (powered by Nginx). Thanks @jcjones ! It's solved now.

HLFH commented Dec 4, 2014

I added proxy_set_header X-Forwarded-Proto https; entry on my ghost.conf (powered by Nginx). Thanks @jcjones ! It's solved now.

@MostDev

This comment has been minimized.

Show comment
Hide comment
@MostDev

MostDev Dec 23, 2014

I am having the same issue with my Ghost blog on Azure websites (IIS). When i change the config.js url to https from http it causes a redirect loop.

MostDev commented Dec 23, 2014

I am having the same issue with my Ghost blog on Azure websites (IIS). When i change the config.js url to https from http it causes a redirect loop.

@dustinmatlock

This comment has been minimized.

Show comment
Hide comment
@dustinmatlock

dustinmatlock Dec 23, 2014

You can set the blog to http in config.js and redirect to https. I'm not sure if it's a configuration issue, but it happens on DigitalOcean. This is how I solved the problem. CloudFlare has an easy way to setup redirects, or use the Nginx solution above.

dustinmatlock commented Dec 23, 2014

You can set the blog to http in config.js and redirect to https. I'm not sure if it's a configuration issue, but it happens on DigitalOcean. This is how I solved the problem. CloudFlare has an easy way to setup redirects, or use the Nginx solution above.

@drm2

This comment has been minimized.

Show comment
Hide comment
@drm2

drm2 Dec 30, 2014

Adding the line proxy_set_header X-Forwarded-Proto $scheme; worked like a charm!

drm2 commented Dec 30, 2014

Adding the line proxy_set_header X-Forwarded-Proto $scheme; worked like a charm!

@esfoobar

This comment has been minimized.

Show comment
Hide comment
@esfoobar

esfoobar Jan 1, 2015

I can confirm I had the redirect loop and with proxy_set_header X-Forwarded-Proto $scheme; on my nginx virtual conf it now works.

esfoobar commented Jan 1, 2015

I can confirm I had the redirect loop and with proxy_set_header X-Forwarded-Proto $scheme; on my nginx virtual conf it now works.

@dustinmatlock

This comment has been minimized.

Show comment
Hide comment
@dustinmatlock

dustinmatlock Jan 1, 2015

@jorge-3, would you know how to make this work on a DO droplet? Ubuntu 14.04. Thanks!

dustinmatlock commented Jan 1, 2015

@jorge-3, would you know how to make this work on a DO droplet? Ubuntu 14.04. Thanks!

@drm2

This comment has been minimized.

Show comment
Hide comment
@drm2

drm2 Jan 1, 2015

@dustinmatlock, are you using Apache or Nginx?

drm2 commented Jan 1, 2015

@dustinmatlock, are you using Apache or Nginx?

@dustinmatlock

This comment has been minimized.

Show comment
Hide comment
@dustinmatlock

dustinmatlock Jan 1, 2015

@drmyersii, it's Nginx, thanks.

dustinmatlock commented Jan 1, 2015

@drmyersii, it's Nginx, thanks.

@esfoobar

This comment has been minimized.

Show comment
Hide comment
@esfoobar

esfoobar Jan 1, 2015

@dustinmatlock sorry, haven't worked with Digital Ocean. But if you're using nginx, the config that I'm using is similar to what you posted.

Here's what I have:

server {
    listen       443;
    server_name  jorge3.com;

    ssl                  on;
    ssl_certificate      ssl/jorge3_com.crt;
    ssl_certificate_key  ssl/jorge3.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    access_log /var/log/nginx/jorge3.access.log;
    error_log /var/log/nginx/jorge3.error.log;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # 2 lines below are to avoid Ghost https redirect bug
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

The blog is live at https://jorge3.com

esfoobar commented Jan 1, 2015

@dustinmatlock sorry, haven't worked with Digital Ocean. But if you're using nginx, the config that I'm using is similar to what you posted.

Here's what I have:

server {
    listen       443;
    server_name  jorge3.com;

    ssl                  on;
    ssl_certificate      ssl/jorge3_com.crt;
    ssl_certificate_key  ssl/jorge3.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    access_log /var/log/nginx/jorge3.access.log;
    error_log /var/log/nginx/jorge3.error.log;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # 2 lines below are to avoid Ghost https redirect bug
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

The blog is live at https://jorge3.com

@randunel

This comment has been minimized.

Show comment
Hide comment
@randunel

randunel May 15, 2015

Redirect loop confirmed on openshift. Reverting the protocol from https to http in config stopped the loop.

Version 0.6.3

randunel commented May 15, 2015

Redirect loop confirmed on openshift. Reverting the protocol from https to http in config stopped the loop.

Version 0.6.3

@randunel

This comment has been minimized.

Show comment
Hide comment
@randunel

randunel Jun 20, 2015

@ErisDS this is a bug, not a configuration issue. Same thing happened in digitalocean.

randunel commented Jun 20, 2015

@ErisDS this is a bug, not a configuration issue. Same thing happened in digitalocean.

@smereczynski

This comment has been minimized.

Show comment
Hide comment
@smereczynski

smereczynski Jul 25, 2015

@MostDev if You want to enable native https in Ghost on Azure You must enable X-Forwarded-Proto for iisnode. There is an directive You must put into /site/wwwroot/iisnode.yml:

enableXFF: true

and remove all https redirection rules from web.config. Next change the configuration of Ghost in config.js:

production: {
        url: 'https://someaddress.azurewebsites.net',

        mail: {
            transport: 'SMTP',
            options: {
                service: 'SendGrid',
                auth: {
                    user: 'user',
                    pass: 'pass'
                }
            }
        },
        database: {
            client: 'sqlite3',
            connection: {
                filename: path.join(__dirname, '/content/data/ghost.db')
            },
            debug: false
        },
        server: {
            // Host to be passed to node's `net.Server#listen()`
            host: '127.0.0.1',
            // Port to be passed to node's `net.Server#listen()`, for iisnode set this to `process.env.PORT`
            port: process.env.PORT
        },
        forceAdminSSL: true
    },

Change to https in url if You want to have whole website with https or forceAdminSSL: true if You want just admin panel with https.

For Azure users there is a dedicated repository from which the Marketplace app is forked time to time: https://github.com/felixrieseberg/Ghost-Azure

smereczynski commented Jul 25, 2015

@MostDev if You want to enable native https in Ghost on Azure You must enable X-Forwarded-Proto for iisnode. There is an directive You must put into /site/wwwroot/iisnode.yml:

enableXFF: true

and remove all https redirection rules from web.config. Next change the configuration of Ghost in config.js:

production: {
        url: 'https://someaddress.azurewebsites.net',

        mail: {
            transport: 'SMTP',
            options: {
                service: 'SendGrid',
                auth: {
                    user: 'user',
                    pass: 'pass'
                }
            }
        },
        database: {
            client: 'sqlite3',
            connection: {
                filename: path.join(__dirname, '/content/data/ghost.db')
            },
            debug: false
        },
        server: {
            // Host to be passed to node's `net.Server#listen()`
            host: '127.0.0.1',
            // Port to be passed to node's `net.Server#listen()`, for iisnode set this to `process.env.PORT`
            port: process.env.PORT
        },
        forceAdminSSL: true
    },

Change to https in url if You want to have whole website with https or forceAdminSSL: true if You want just admin panel with https.

For Azure users there is a dedicated repository from which the Marketplace app is forked time to time: https://github.com/felixrieseberg/Ghost-Azure

@madnik

This comment has been minimized.

Show comment
Hide comment
@madnik

madnik Apr 19, 2016

When generating static sites. (For example- with buster) How should I deal with https.

madnik commented Apr 19, 2016

When generating static sites. (For example- with buster) How should I deal with https.

@mattferderer

This comment has been minimized.

Show comment
Hide comment
@mattferderer

mattferderer May 2, 2017

I can confirm that this fixed this issue for me as well. I was running this with Docker & Nginx. Changing the config in Ghost to https caused a redirect loop. Adding proxy_set_header X-Forwarded-Proto https; fixed that.

mattferderer commented May 2, 2017

I can confirm that this fixed this issue for me as well. I was running this with Docker & Nginx. Changing the config in Ghost to https caused a redirect loop. Adding proxy_set_header X-Forwarded-Proto https; fixed that.

@gabrielepmattia

This comment has been minimized.

Show comment
Hide comment
@gabrielepmattia

gabrielepmattia Dec 11, 2017

For those who are using apache, this is a sample working configuration to avoid the loop redirect

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"

    ServerName ghost.example.com:443

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /home/user/.ssl/certificate.pem
    SSLCertificateKeyFile /home/user/.ssl/private_key.key

    <Location "/">
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:2368/
        ProxyPassReverse http://127.0.0.1:2368/
    </Location>
</VirtualHost>

gabrielepmattia commented Dec 11, 2017

For those who are using apache, this is a sample working configuration to avoid the loop redirect

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"

    ServerName ghost.example.com:443

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /home/user/.ssl/certificate.pem
    SSLCertificateKeyFile /home/user/.ssl/private_key.key

    <Location "/">
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:2368/
        ProxyPassReverse http://127.0.0.1:2368/
    </Location>
</VirtualHost>
@love2dishtech

This comment has been minimized.

Show comment
Hide comment
@love2dishtech

love2dishtech Mar 11, 2018

Thanks @gabrielepmattia This solved it for Apache.

love2dishtech commented Mar 11, 2018

Thanks @gabrielepmattia This solved it for Apache.

@glcheetham

This comment has been minimized.

Show comment
Hide comment
@glcheetham

glcheetham May 27, 2018

Newcomers, using the droplet image on digital ocean, check cloudflare configuration before messing with the nginx conf.

The correct configuration for cloudflare is to select Full (strict) in SSL settings and Disable Universal SSL (at the bottom of the page)

Once I disabled universal SSL and set my configuration to Full (strict) ghost was able to redirect the site to https:// every time without fault

If you need to reset your nginx configuration to the default, delete your domains configuration in /etc/nginx/sites-available and /etc/nginx/sites-enabled and rerun ghost setup nginx 👍

glcheetham commented May 27, 2018

Newcomers, using the droplet image on digital ocean, check cloudflare configuration before messing with the nginx conf.

The correct configuration for cloudflare is to select Full (strict) in SSL settings and Disable Universal SSL (at the bottom of the page)

Once I disabled universal SSL and set my configuration to Full (strict) ghost was able to redirect the site to https:// every time without fault

If you need to reset your nginx configuration to the default, delete your domains configuration in /etc/nginx/sites-available and /etc/nginx/sites-enabled and rerun ghost setup nginx 👍

@jillesme

This comment has been minimized.

Show comment
Hide comment
@jillesme

jillesme Sep 4, 2018

Contributor

I had the same issue, doing what @glcheetham suggested fixed it!

Contributor

jillesme commented Sep 4, 2018

I had the same issue, doing what @glcheetham suggested fixed it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment