New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open Graph data URLs are using "http" protocol always #4739

Closed
JuanKRuiz opened this Issue Dec 31, 2014 · 2 comments

Comments

Projects
None yet
3 participants
@JuanKRuiz
Copy link

JuanKRuiz commented Dec 31, 2014

Open Graph data URLs are using "http" protocol doesn't matter that website is over "https".

I have my Ghost blog published on https://juank.io but when I look at OG meta tags they are linking to http:// Urls.

I have configured iisnode (Azure) to redirect http request to https without problem. But redirections are bad indicators for twitter cards or facebook posts causing (sometimes) images won't be loaded.

Specially in facebook this redirect issues could rank down the post on timeline.

I'm not sure if this issue is related to Ghost or Azure related. Temporarily I have tweaked
ghost-head.js to construct OG data using https insted of http.

@cobbspur

This comment has been minimized.

Copy link
Member

cobbspur commented Jan 7, 2015

Hi Juan,

So far I have not been able to reproduce this. It may be related to azure or your environment but it is not a bug as far as I can tell in Ghost.

One thing for you to check is that the url in config.js file is explicitly set to https

If you raise this problem in the forums, then I am sure someone with better knowledge of Azure can investigate this further but this issue can be closed.

@ErisDS ErisDS closed this Jan 7, 2015

@JuanKRuiz

This comment has been minimized.

Copy link

JuanKRuiz commented Jan 16, 2015

Hi @cobbspur and @ErisDS EriDS ,
I've been reviewing this a little bit more.

The issue is caused because I have config,js file with url protocol as http instead of https.

If I turn it to https the site just doesn't start : blank page.

My site is already configured in https but browser is getting TOO_MANY_REDIRECTS because there are a infinite redirection loop caused by this code in
core/server/middleware/index.js

function isSSLrequired(isAdmin) {
    var forceSSL = url.parse(config.url).protocol === 'https:' ? true : false;

    var forceAdminSSL = (isAdmin && config.forceAdminSSL);

    if (forceSSL || forceAdminSSL) {
        return true;
    }
    return false;
}

// Check to see if we should use SSL
// and redirect if needed
function checkSSL(req, res, next) {
    if (isSSLrequired(res.isAdmin)) {
        if (!req.secure) {
            var forceAdminSSL = config.forceAdminSSL,
                redirectUrl;

            // Check if forceAdminSSL: { redirect: false } is set, which means
            // we should just deny non-SSL access rather than redirect
            if (forceAdminSSL && forceAdminSSL.redirect !== undefined && !forceAdminSSL.redirect) {
                return res.sendStatus(403);
            }

            redirectUrl = url.parse(config.urlSSL || config.url);
            return res.redirect(301, url.format({
                protocol: 'https:',
                hostname: redirectUrl.hostname,
                port: redirectUrl.port,
                pathname: req.path,
                query: req.query
            }));
        }
    }
    next();
}

Looks like

var forceSSL = url.parse(config.url).protocol === 'https:' ? true : false;

Is returning true when site is already running on https, but if ghost is already configured to run over https and IIS is redirecting http traffic to https there's no need to redirect again.

I suggest the right valitation could be.

//if site is already running over https there is no need to forceSSL
var forceSSL = url.parse(config.url).protocol === 'https:' ? false:true;

On IIS you configure a website to run over https with this rule in web.config file:

<rule name="Force HTTPS" enabled="true">
  <match url="(.*)" ignoreCase="false" />
  <conditions>
    <add input="{HTTPS}" pattern="off" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>

So because of that my current blog config.js is configured forceAdminSSL: false

Actually isSSLrequired method execution looks like

function isSSLrequired(isAdmin) {
//forceSSL = true;
var forceSSL = url.parse(config.url).protocol === 'https:' ? true : false;
//forceAdminSSL = false;
//                                           true && false = false
var forceAdminSSL = (isAdmin && config.forceAdminSSL);

//true || false = true
if (forceSSL || forceAdminSSL) {
    ///TRUE    
    return true;
    }
    return false;:
}

That method reponse is causing that checkSSL method redirect url over https even if url is already over https.

For test purposes I've changed the code in my own repository and looks everything is working ok now.

//if site is already running over https there is no need to forceSSL
var forceSSL = url.parse(config.url).protocol === 'https:' ? false:true;

I don't know Ghost blog deeper in code, so my solution couldn't be the best one any lights?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment