Drupal7 nginx ssl

Events happening in the community are now at Drupal community events on www.drupal.org.
bailsbails's picture
Posted by bailsbails on February 1, 2012 at 9:53am

Hi

I'm trying to get a drupal7 site setup on nginx with everything served via https, with http doing a global rewrite e.g.

server {
server_name mysite.fqdn;
listen :80;
rewrite ^/(.)$ https://mysite.fqdn/$1 permanent;
}

Whilst this seems to work fine for the many drupal6 sites we have running on this host with drupal7 this results in the old "Your connection to mysite.fqdn is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit and can be modified by an attacker to change the behaviour of the page." red X message in chrome and IE9's "only secure content is displayed" "show all content".

Having looked at the source in both browsers I believe the problem is the way that the css is included and a small experiment went some way to proving this.

In drupal 7 the css is included by way of e.g. @import url("http://mysite.fqdn/modules/system/system.menus.css")

In IE9 if we "show all content" the stylesheets are then pulled in (by way of being redirected to https). However if the http server on port 80 is stopped and "show all content" is pressed then the stylesheets are not pulled in (obviously!).

The same site on a apache2 server with a:

ServerName mysite.fqdn
Redirect permanent / https://mysite.fqdn/

shows the css includes as @import url("https://mysite.fqdn/modules/system/system.menus.css")

Does anyone have any ideas how apache is managing this? additionally we are not using securepages or session443 on either setup.

Thanks

Bails

Categories:

Comments

Try this:

Posted by perusio on February 1, 2012 at 12:59pm
perusio's picture

server {
    server_name mysite.fqdn;
    listen 80;
   
    return 301 https://mysite.fqdn$request_uri;
}

Try it on the CLI with cURL. Any request for ahttp scheme should be redirected to https.

Of course you need a properly configured SSL host. The above does only the redirect.

Hi Perusio Thanks for the tip

Posted by bailsbails on February 1, 2012 at 1:19pm
bailsbails's picture

Hi Perusio

Thanks for the tip but using the 301 is still a no go. As I said above the ssl host is properly configured. If I swap the root to a drupal6 copy of the site in question it behaves exactly as I expect (no warnings and everything is served fine from https). Its just drupal7 that doesn't work as expected.

Hmm.

Posted by perusio on February 1, 2012 at 1:26pm
perusio's picture

There seems to be something on the drupal side of things failing. Does this helps you in any way?

Is drupal writing the "links"

Posted by brianmercer on February 1, 2012 at 1:32pm
brianmercer's picture

Is drupal writing the "links" to the css as "http://"?

This is what I use in settings.php for Drupal 6:

if (!empty($_SERVER['HTTPS'])) {
  $base_url = 'https://mysite.fqdn';
  }
else {
  $base_url = 'http://mysite.fqdn';
}

and see http://drupal.org/https-information for whether to $conf['https'].

Mo' better :)

Posted by perusio on February 1, 2012 at 1:45pm
perusio's picture

No ifs:

<?php
$base_url = empty($_SERVER['HTTPS']) ? 'http://mysite.fqdn' : 'https://mysite.fqdn';
?>

Hi peruso /

Posted by bailsbails on February 1, 2012 at 3:12pm
bailsbails's picture

Hi peruso / brianmercer.

Thanks for the input. Looks like all I was missing was a:

$base_url = 'https://mysite.fqdn';

in settings.php as the site doesn't use http on any pages. Now all the css requests come from https://mysite.fqdn

Thanks again.

You shouldn't need $base_url

Posted by halcyonCorsair on February 1, 2012 at 10:33pm
halcyonCorsair's picture

You shouldn't need $base_url in Drupal 7. Are you sure $_SERVER['HTTPS'] is getting set ton 'on' correctly?

Then make sure you're passing

Posted by brianmercer on February 1, 2012 at 11:09pm
brianmercer's picture

Then make sure you're passing HTTPS to cgi with something like this:

  location = /index.php {
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $basepath/drupal/index.php;
    fastcgi_param HTTPS $cgi_https;
    fastcgi_pass php;
  }

and this in your nginx.conf:
  map $scheme $cgi_https {
    default '';
    https on;
  }

There's a built in https variable in one of the most recent dev versions of nginx, but the above should be safe for any non-ancient version.

If you're using

Posted by perusio on February 1, 2012 at 11:45pm
perusio's picture

Nginx version >= 1.1.11 there's a fastcgi_param HTTPS $https if_not_empty flag that will set the HTTPS param to on if the scheme is https.

undefined index HTTPS

Posted by emjayess on November 19, 2012 at 10:51pm
emjayess's picture

nginx/1.2.3, but when I try to access this, or dump out $_SERVER from settings.php, it isn't present. Also confirmed it is in nginx's fastcgi_params file. I'z confuzed.

--
matt j. sorenson, g.d.o., d.o.

fastcgi_params vs fastcgi_drupal.conf?

Posted by emjayess on November 19, 2012 at 11:01pm
emjayess's picture

from fastcgi_params, I copied the line:

fastcgi_param  HTTPS              $https if_not_empty;


and pasted into fastcgi_drupal.conf, and that made HTTPS available to drupal

Near as I could tell, fastcgi_params was being loaded by nginx.conf... so I'm not clear on why this was necessary?

P.s. Drupal 7 and we started with @perusio's 'drupal-with-nginx' project.

--
matt j. sorenson, g.d.o., d.o.

It's worth noting that if

Posted by halcyonCorsair on February 1, 2012 at 11:14pm
halcyonCorsair's picture

It's worth noting that if you're using boost, most boost configurations I've seen are stupid, and will happily server http cached pages to https users, with all the http links to css, js, images, etc intact...

Nginx

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.