Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Setting url: to https in config.js causes a redirect loop #2796

Closed
xtceed opened this issue May 22, 2014 · 32 comments
Closed

Bug: Setting url: to https in config.js causes a redirect loop #2796

xtceed opened this issue May 22, 2014 · 32 comments

Comments

@xtceed
Copy link

xtceed commented May 22, 2014

Issue Summary

Creating a blog which only uses https requires that the links generated by blog.url to be https however I am not able to set this in config.js

If I enter the url: to my blog in config.js as http, then all of my internal links point to http causing users and search engines to get redirected unnecessarily.

Steps to Reproduce

Apache/2.2.22 (Debian) using the following options
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://example.com$1 [R=301,L]
ProxyRequests off
ProxyPass / http://127.0.0.1:2368/
ProxyPassReverse / http:/127.0.0.1:2368/

Ghost is running as http but needs to be able to write blog.url as whatever the user wants to specify.

Technical details

  • Ghost Version: 0.4.2
  • Client OS: Win 7
  • Server OS: Debian 7.5
  • Node Version: v0.10.28
  • Browser: Chrome
  • Database: sqlite3
@halfdan
Copy link
Contributor

halfdan commented May 24, 2014

What is the setting in config.js for url? Did you try setting it to url: 'https://example.com'?

@xtceed
Copy link
Author

xtceed commented May 24, 2014

Right now its http to work, but when I set it to https that's when I get the problem.

@sebgie
Copy link
Contributor

sebgie commented May 24, 2014

Hello @xtceed and welcome to Ghost.

Ghost is able do what you are trying to achieve but the Apache configuration doesn't seem correct to me. As @halfdan pointed out the url:https://example.com setting does what you are asking for because it'll enforce https for all traffic and output the correct links. Ghost uses the X-Forwarded-Proto header to determine your protocol and therefore it has to be passed from the proxy. This header is missing from the config example above. When it comes to configuring your proxy the forum is probably a better place to ask for instructions as there are more people with Apache experience than you will find here.

@ErisDS
Copy link
Member

ErisDS commented May 24, 2014

Going to close this until there is some evidence that it is a bug rather than a configuration/environment issue.

@ErisDS ErisDS closed this as completed May 24, 2014
@bravius
Copy link

bravius commented Jun 14, 2014

Also got the redirection loop of death when setting the url in config.js to https.... was attempting to proxy Ghost into an existing application. Fixed it by adding the request header 'X-Forwarded-Proto' = 'https'; Thanks to sebgie for the heads-up.

@xtceed
Copy link
Author

xtceed commented Jun 15, 2014

Bravius could you give an example of what you mean? Thanks.

@jcjones
Copy link

jcjones commented Aug 12, 2014

xtceed: On Nginx I added proxy_set_header X-Forwarded-Proto https; to my site configuration, such that it reads:

server {
        listen                          443 ssl spdy;

        location / {
            proxy_pass              http://localhost:8080;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_set_header        Host $http_host;
            proxy_intercept_errors  on;
        }
}

This stopped the 302 redirect loop on my HTTPS-only blog at https://tacticalsecret.com/

@dustinmatlock
Copy link

I can confirm this happens on a DigitalOcean Ghost app install. @ErisDS could you possibly provide the correct settings to fix this? Here's what I have now.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name my-ghost-blog.com; # Replace with your domain

    root /usr/share/nginx/html;
    index index.html index.htm;

    client_max_body_size 10G;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    } 
}

@ErisDS
Copy link
Member

ErisDS commented Oct 14, 2014

@dustinmatlock Please use the forum for support questions, thanks!

@HLFH
Copy link

HLFH commented Dec 4, 2014

I added proxy_set_header X-Forwarded-Proto https; entry on my ghost.conf (powered by Nginx). Thanks @jcjones ! It's solved now.

@MostDev
Copy link

MostDev commented Dec 23, 2014

I am having the same issue with my Ghost blog on Azure websites (IIS). When i change the config.js url to https from http it causes a redirect loop.

@dustinmatlock
Copy link

You can set the blog to http in config.js and redirect to https. I'm not sure if it's a configuration issue, but it happens on DigitalOcean. This is how I solved the problem. CloudFlare has an easy way to setup redirects, or use the Nginx solution above.

@davidmyersdev
Copy link

Adding the line proxy_set_header X-Forwarded-Proto $scheme; worked like a charm!

@esfoobar
Copy link

esfoobar commented Jan 1, 2015

I can confirm I had the redirect loop and with proxy_set_header X-Forwarded-Proto $scheme; on my nginx virtual conf it now works.

@dustinmatlock
Copy link

@jorge-3, would you know how to make this work on a DO droplet? Ubuntu 14.04. Thanks!

@davidmyersdev
Copy link

@dustinmatlock, are you using Apache or Nginx?

@dustinmatlock
Copy link

@drmyersii, it's Nginx, thanks.

@esfoobar
Copy link

esfoobar commented Jan 1, 2015

@dustinmatlock sorry, haven't worked with Digital Ocean. But if you're using nginx, the config that I'm using is similar to what you posted.

Here's what I have:

server {
    listen       443;
    server_name  jorge3.com;

    ssl                  on;
    ssl_certificate      ssl/jorge3_com.crt;
    ssl_certificate_key  ssl/jorge3.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    access_log /var/log/nginx/jorge3.access.log;
    error_log /var/log/nginx/jorge3.error.log;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # 2 lines below are to avoid Ghost https redirect bug
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

The blog is live at https://jorge3.com

@randunel
Copy link

randunel commented May 15, 2015

Redirect loop confirmed on openshift. Reverting the protocol from https to http in config stopped the loop.

Version 0.6.3

@randunel
Copy link

randunel commented Jun 20, 2015

@ErisDS this is a bug, not a configuration issue. Same thing happened in digitalocean.

@smereczynski
Copy link

@MostDev if You want to enable native https in Ghost on Azure You must enable X-Forwarded-Proto for iisnode. There is an directive You must put into /site/wwwroot/iisnode.yml:

enableXFF: true

and remove all https redirection rules from web.config. Next change the configuration of Ghost in config.js:

production: {
        url: 'https://someaddress.azurewebsites.net',

        mail: {
            transport: 'SMTP',
            options: {
                service: 'SendGrid',
                auth: {
                    user: 'user',
                    pass: 'pass'
                }
            }
        },
        database: {
            client: 'sqlite3',
            connection: {
                filename: path.join(__dirname, '/content/data/ghost.db')
            },
            debug: false
        },
        server: {
            // Host to be passed to node's `net.Server#listen()`
            host: '127.0.0.1',
            // Port to be passed to node's `net.Server#listen()`, for iisnode set this to `process.env.PORT`
            port: process.env.PORT
        },
        forceAdminSSL: true
    },

Change to https in url if You want to have whole website with https or forceAdminSSL: true if You want just admin panel with https.

For Azure users there is a dedicated repository from which the Marketplace app is forked time to time: https://github.com/felixrieseberg/Ghost-Azure

@mlvea
Copy link

mlvea commented Apr 19, 2016

When generating static sites. (For example- with buster) How should I deal with https.

@mattferderer
Copy link

I can confirm that this fixed this issue for me as well. I was running this with Docker & Nginx. Changing the config in Ghost to https caused a redirect loop. Adding proxy_set_header X-Forwarded-Proto https; fixed that.

@gabrielepmattia
Copy link

For those who are using apache, this is a sample working configuration to avoid the loop redirect

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"

    ServerName ghost.example.com:443

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /home/user/.ssl/certificate.pem
    SSLCertificateKeyFile /home/user/.ssl/private_key.key

    <Location "/">
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:2368/
        ProxyPassReverse http://127.0.0.1:2368/
    </Location>
</VirtualHost>

@love2dishtech
Copy link

Thanks @gabrielepmattia This solved it for Apache.

@glcheetham
Copy link

Newcomers, using the droplet image on digital ocean, check cloudflare configuration before messing with the nginx conf.

The correct configuration for cloudflare is to select Full (strict) in SSL settings and Disable Universal SSL (at the bottom of the page)

Once I disabled universal SSL and set my configuration to Full (strict) ghost was able to redirect the site to https:// every time without fault

If you need to reset your nginx configuration to the default, delete your domains configuration in /etc/nginx/sites-available and /etc/nginx/sites-enabled and rerun ghost setup nginx 👍

@jillesme
Copy link
Contributor

jillesme commented Sep 4, 2018

I had the same issue, doing what @glcheetham suggested fixed it!

@ma-karai
Copy link

ma-karai commented Feb 1, 2019

Any ideas how to accomplish that with an haproxy?

@vinyll
Copy link

vinyll commented Apr 24, 2020

I've have an instance in an LXC container with Nginx as front proxy while proxy_set_header X-Forwarded-Proto https; is present.
While it works for other services I've been struggling with this issue for 2 evenings and finally solved.

in config.production.json, I just had to remove the s of https in my url:
"url": "https://read.anonym.dev/", -> "url": "http://read.anonym.dev/"

This stopped looping nginx redirections 🎉

@alst-ovh
Copy link

This solve the Problem for me:

Enable Header:
a2enmod headers

Add to the Apache site config:

Without this, ghost infinitely redirects:

RequestHeader set "X-Forwarded-Proto" "https"
ProxyPreserveHost Off
ProxyPass / http://localhost:2368/
ProxyPassReverse / http://localhost:2368/

Look at: https://blog.schenck.online/ghost-with-apache-and-https/

@0ne1astk155

This comment has been minimized.

@ErisDS
Copy link
Member

ErisDS commented Aug 6, 2020

If you receive a redirect loop after setting your URL to HTTPS, it means your proxy is misconfigured and is telling Ghost the requests are HTTP. Ghost is then correctly redirecting to HTTPS.

Ghost is setup to receive and correctly handle proxy headers, including X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-For. If your proxy is misconfigured and sends the wrong headers, you will end up in a redirect loop.

If you aren't using Ghost CLI and are configuring your proxy yourself, then there are several excellent sources of information available to you:

If all that fails, we have https://forum.ghost.org where you can request support with configuring your proxy.

@TryGhost TryGhost locked as resolved and limited conversation to collaborators Aug 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests