There should be a way to set Mautic to use HTTPS in the config

[rori4]

Bug Description

When running Mautic with SSL encryption you will get a warning for mixed content related to gravatar images. This has been reported before here: Chrome shows Mautic dashboard as not fully secure #7577 & mautic/docker-mautic#37

A solution to this is to add $_SERVER['HTTPS'] = 'on'; in the index.php in the Mautic installation. However, when you update Mautic you will need to do this again.

Maybe there can be a setting in the configuration to set the server to use HTTPS ?

Q	A
Mautic version	2.16.3
PHP version	7.1.33
Browser	Chrome Version 83.0.4103.106

Steps to reproduce

1. I am using Mautic wit this docker setup: https://github.com/mautic/docker-mautic/tree/master/examples/mautic-example-nginx-ssl behind Cloudflare
2. When you login in the dashboard and refresh the page you will get a mixed content warning because of Gravatar images requested from (http://i2.wp.com)

[RCheesley]

Hi there, as we are only providing fixes for Mautic 3.x going forward, can you confirm if this continues in Mautic 3.0.1?
Thanks!

[rori4]

as always the updating of Mautic is a nightmare. I got stuck updating to v3.0.1:

ERR_MAUTIC_3_MIGRATIONS_IDENTIFICATION_FAILED: We couldn't reliably detect the amount of available database migrations. Please try again by refreshing this page..

Refreshing the page and going through the docs didn't help as well as the detailed logs.

Any suggestions what is causing this?

Q	A
Mautic version	2.16.3
PHP version (Updated)	7.2.28
Browser	Chrome Version 83.0.4103.106

[HLFH]

I followed this manual process to update to 3.0.1. And I confirm this issue is still happening.

[rori4]

I followed this manual process to update to 3.0.1. And I confirm this issue is still happening.

@HLFH Do you mean the update issue ERR_MAUTIC_3_MIGRATIONS_IDENTIFICATION_FAILED or the SSL warning of mixed content related to gravatar images

Perhaps I should open a separate issue for the update to v3.0.1

[rori4]

Ok... so I was able to do a clean install of Mautic v3.0.0 and then update to v3.0.1 and I can confirm that the issue still persists.

I need to add $_SERVER['HTTPS'] = 'on'; to the index.php so I can solve the mixed content SSL warning that comes from the gravatar images

[HLFH]

@rori4 4 It depends where you put the line $_SERVER['HTTPS'] = 'on'; .
Can you quote the code within index.php where you put your new line?

Thank you!

[rori4]

@HLFH Here you go:

<?php

/*
 * @copyright   2014 Mautic Contributors. All rights reserved
 * @author      Mautic
 *
 * @link        http://mautic.org
 *
 * @license     GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
 */
define('MAUTIC_ROOT_DIR', __DIR__);

// Fix for hosts that do not have date.timezone set, it will be reset based on users settings
date_default_timezone_set('UTC');

require_once __DIR__.'/app/autoload.php';

$_SERVER['HTTPS'] = 'on';

use Mautic\CoreBundle\ErrorHandler\ErrorHandler;
use Mautic\Middleware\MiddlewareBuilder;
use function Stack\run;

ErrorHandler::register('prod');

run((new MiddlewareBuilder(new AppKernel('prod', false)))->resolve());

Perhaps it should be better to put it after the use function Stack\run; line but it works like that

[RCheesley]

Thanks for checking this out - if you have problems migrating please post in the dedicated support forum here: https://forum.mautic.org/c/support/mautic-3-install-upgrade-support/98

[RCheesley]

I tweaked the title slightly to make it a bit more descriptive

[Inboundmanager]

The bug is because rel2abs method on Mautic\CoreBundle\Helper\UrlHelper class is not considering right server headers in case of been called from Trusted Proxies. In that case X_FORWARDED_PROTO must be used instead of HTTPS for checking SSL.

See code on isSecure method on Symfony\Component\HttpFoundation:

namespace Symfony\Component\HttpFoundation;
...
class Request
{
...	
    /**
     * Names for headers that can be trusted when
     * using trusted proxies.
     *
     * The FORWARDED header is the standard as of rfc7239.
     *
     * The other headers are non-standard, but widely used
     * by popular reverse proxies (like Apache mod_proxy or Amazon EC2).
     */
    protected static $trustedHeaders = array(
        self::HEADER_FORWARDED => 'FORWARDED',
        self::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
        self::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
        self::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
        self::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
    );
...
    public function isSecure()
    {
        if ($this->isFromTrustedProxy() && $proto = $this->getTrustedValues(self::HEADER_CLIENT_PROTO)) {
            return \in_array(strtolower($proto[0]), array('https', 'on', 'ssl', '1'), true);
        }

        $https = $this->server->get('HTTPS');

        return !empty($https) && 'off' !== strtolower($https);
    }
...	
}

Regards

[RCheesley]

@Inboundmanager it seems this PR relates to that scenario: #7931 would you agree?

[Inboundmanager]

@Inboundmanager it seems this PR relates to that scenario: #7931 would you agree?

Yes, and also #7577 on Mautic 2.16.3 and Mautic 2.15.3

[RCheesley]

Great - please test the PR #7931 if you are able (it has a conflict to be resolved so you may need to apply it manually or wait for it to be resolved!) and hopefully we can merge in 3.1!

[RCheesley]

Closing as the PR has been merged which addresses this issue 🎉

[tobsowo]

Just experienced this with installing 4.4.6
Is there a way to resolve this?

<?php

/*
 * @copyright   2014 Mautic Contributors. All rights reserved
 * @author      Mautic
 *
 * @link        http://mautic.org
 *
 * @license     GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
 */
define('MAUTIC_ROOT_DIR', __DIR__);

// Fix for hosts that do not have date.timezone set, it will be reset based on users settings
date_default_timezone_set('UTC');

require_once 'autoload.php';

use Mautic\CoreBundle\ErrorHandler\ErrorHandler;
use Mautic\Middleware\MiddlewareBuilder;
use function Stack\run;

ErrorHandler::register('prod');

run((new MiddlewareBuilder(new AppKernel('prod', false)))->resolve());