Mixed content (HTTP & HTTPS) while loading app (Nextcloud)

[enoch85]

I don't know if it's a bug or if my setup is wrong, but I'm trying to setup Spreed.Me on a Nextcloud server with Nginx Reverse Proxy in front and Nextcloud on a backend Apache server. This is my setup:

Vhosts

Nginx Vhost

Handles port 443 and 80

server {
        # Cloudflare IP that is masked by mod_real_ip

	error_page 404 500 502 503 504 /cloud-error.html;
        location = /cloud-error.html {
                root /usr/share/nginx/html;
                internal;
        }
     	set_real_ip_from 103.21.244.0/22;
     	set_real_ip_from 103.22.200.0/22;
     	set_real_ip_from 103.31.4.0/22;
     	set_real_ip_from 104.16.0.0/12;
     	set_real_ip_from 108.162.192.0/18;
     	set_real_ip_from 131.0.72.0/22;
     	set_real_ip_from 141.101.64.0/18;
     	set_real_ip_from 162.158.0.0/15;
     	set_real_ip_from 172.64.0.0/13;
     	set_real_ip_from 173.245.48.0/20;
     	set_real_ip_from 188.114.96.0/20;
     	set_real_ip_from 190.93.240.0/20;
     	set_real_ip_from 197.234.240.0/22;
     	set_real_ip_from 198.41.128.0/17;
     	set_real_ip_from 199.27.128.0/21;

	real_ip_header     X-Forwarded-For;
        real_ip_recursive  on;

        listen 192.168.4.201:443 ssl http2;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/cloud.techandme.se/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/cloud.techandme.se/privkey.pem;
	ssl_dhparam /etc/nginx/sites-available/cloudflare_ip/cloud.techandme/cloud-dhparams.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:10m;
        ssl_stapling on;
        ssl_stapling_verify on;

        # Only use safe chiphers
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	
	# Add secure headers
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
#	add_header X-Content-Type-Options nosniff;
	
        server_name cloud.techandme.se;
        set $upstream 192.168.4.111;

        location /webrtc/ws {
                proxy_pass https://$upstream:443;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }

        location / {
                proxy_pass_header Authorization;
                proxy_pass http://$upstream:80;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_buffering off;
                proxy_request_buffering off;
		client_max_body_size 0;
                proxy_read_timeout  36000s;
                proxy_redirect off;
                proxy_ssl_session_reuse off;
        }
}

server {
  listen 192.168.4.201:80;
  server_name cloud.techandme.se;
  return 301 https://cloud.techandme.se$request_uri;
}

Apache Vhost Nextcloud

nextcloud.conf

<VirtualHost 192.168.4.111:80>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Content-Type-Options nosniff

### YOUR SERVER ADDRESS ###
    ServerAdmin user@email.com
    ServerName cloud.techandme.se

### SETTINGS ###
    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    Satisfy Any
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    <Directory "/var/ncdata">
    # just in case if .htaccess gets disabled
    Require all denied
    </Directory>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

</VirtualHost>

Apache Vhost SpreedMe

spreedme.conf (As Include in Apache.conf)

<Location /webrtc>
    ProxyPass http://127.0.0.1:8080/webrtc
    ProxyPassReverse /webrtc
</Location>

<Location /webrtc/ws>
    ProxyPass ws://127.0.0.1:8080/webrtc/ws
</Location>

    ProxyVia On
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

Errors

Here are a good summary of all the errors: nextcloud/spreedme-snap#10

Summary

It seems like you need to implement wss so that I can get secure connections, or it's my config that are wrong. Can you please help me here?

Thanks!

[leonklingele]

`proxy_pass https://$upstream:443;`

This looks wrong to me. It should be `proxy_pass http://$upstream;` (assuming your `spreedme.conf` gets loaded in `<VirtualHost 192.168.4.111:80>`)

[enoch85]

@leonklingele Thanks for your sharp eyes.

Even if I set it to proxy_pass http://$upstream I get:

VM199:35 Mixed Content: The page at 'https://cloud.techandme.se/index.php/apps/spreedme/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://cloud.techandme.se/webrtc/ws'. This request has been blocked; this endpoint must be available over WSS.

And if I allow insecure scripts it works, but works bad. It recognizes my user, but other users can't use it and connect to the same rooms etc, not tested that much though) Any ideas?

[enoch85]

@leonklingele Here is a testroom.

[leonklingele]

Either use `RequestHeader set X-Forwarded-Proto 'https'` instead of `RequestHeader set X-Forwarded-Proto 'https' env=HTTPS` _or_ configure your Apache server to listen on `192.168.4.111:443` + revert to `proxy_pass https://$upstream;`

[enoch85]

RequestHeader set X-Forwarded-Proto 'https' solved it, thanks!