Can't get rid off "mixed content" after switching to HTTPS

27 Posts

calvair Reply #1, 5 years, 7 months ago

Hi,

I'm pretty lost with moving our site from http to https.

In late july our site got hacked - not via modx, but via a Wordpress-Installation which happened to be on the same server.
I restored our site, updated to 2.6.5-pl - all went pretty fine - and after that I made the switch from http:/ to https:/ in order to meet the requirements to be GDPR-safe

Now Firefox and chrome keep saying there's mixed content and thus the site isn't displaying as it should.

What I did in order to switch to https after I got the "let's encrypt"-SSL-certificate installed by my webprovider:

Activated the ssl-part in .htaccess
Changed "site_url" in MySQL-table "_context_setting" to "https://chorphilharmonie.de"
Changed system setting "server_protocol" to https
Changed system setting "link_tag_scheme" from "-1" to "https"

Now neither bootstrap.min.js will load (I already switched the URL in my template from relative path to absolute including "https://" - but even this doesn't help" nor serveral pictures.
All paths to images are made relative in my templates / TVs, the paths are correct (so I don't understand the 301 either)

Any idea what's still wrong or where I should look after?

Runtime-analysis in firefox' developer tools says like follows:

GET
https://xyz.de/ [HTTP/1.1 200 OK 144ms]
GET
https://xyz.de/bootstrap.css [HTTP/1.1 200 OK 141ms]
GET
https://xyz.de/bootstrap-helper.css [HTTP/1.1 200 OK 151ms]
GET
https://xyz.de/owl.carousel.css [HTTP/1.1 200 OK 197ms]
GET
https://xyz.de/fontawesome.min.css [HTTP/1.1 200 OK 171ms]
GET
https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js [HTTP/2.0 304 Not Modified 16ms]
GET
https://www.xyz.de/assets/components/js/bootstrap.min.js [HTTP/1.1 301 Moved Permanently 122ms]
Mixes(insecure) display content from "https://xyz.de/assets/components/pic/xyz_head.png" loading on a secure site [more informations]xyz.de
GET
https://www.xyz.de/assets/components/pic/xyz_head.png [HTTP/1.1 301 Moved Permanently 186ms]
Mixed (insecure) display content from "https://xyz.de/assets/components/pic/xyz_titel.jpg" loading on a secure site[more informations]xyz.de
GET
https://www.xyz.de/assets/components/pic/xyz_titel.jpg [HTTP/1.1 301 Moved Permanently 184ms]
Mixed (insecure) display content from "https://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png" loading on a secure site[more informations]xyz.de
GET
https://www.xyz.de/assets/components/pic/Logo_notenschlu%CC%88ssel.png [HTTP/1.1 301 Moved Permanently 185ms]
Laden von gemischten aktiven Inhalten "http://xyz.de/assets/components/js/bootstrap.min.js" wurde blockiert.[more informations]xyz.de
Mixed (insecure) display content from "http://xyz.de/assets/components/pic/xyz_titel.jpg" loading on a secure site[more informations]xyz.de
Mixed (insecure) display content from "http://xyz.de/assets/components/pic/xyz_head.png" loading on a secure site[more informations]xyz.de
Mixed (insecure) display content from "http://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png" loading on a secure site[more informations]xyz.de
GET
http://xyz.de/assets/components/pic/xyz_titel.jpg [Mixed content]
[HTTP/1.1 301 Moved Permanently 33ms]
GET
http://xyz.de/assets/components/pic/xyz_head.png [Mixed content]
[HTTP/1.1 301 Moved Permanently 35ms]
GET
http://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png [Mixed content]
[HTTP/1.1 301 Moved Permanently 35ms]
GET
https://xyz.de/assets/components/pic/xyz_titel.jpg [HTTP/1.1 304 Not Modified 54ms]
GET
https://xyz.de/assets/components/pic/xyz_head.png [HTTP/1.1 304 Not Modified 56ms]
GET
https://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png

This question has been answered by multiple community members. See the first response.

discuss.answer

1,154 Posts

nuan88 Reply #2, 5 years, 7 months ago

Yes this is a common problem, can you try one fix

Basically for some reason what happens is the call to your css js and any other local files will not be secure. Somehow this seems to (perhaps) get by the htaccess rules and so remains unsecured.

A quick fix is to prepend https:// to your template calls to these files. Its not perhaps the most delicate, but it should work

24,544 Posts

BobRay Reply #3, 5 years, 7 months ago

Sometimes it works if you remove the protocol:

GET

"//www.xyz.de/assets/components/pic/xyz_titel.jpg"

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

1,154 Posts

nuan88 Reply #4, 5 years, 7 months ago

A user just mentioned the context settings for site_url, which needs to be set to https. Just FYI

571 Posts

Andy Tough Reply #5, 5 years, 7 months ago

I have always referred to Mark Hamstras excellent article when I have moved a site to SSL.

https://www.markhamstra.com/modx/2012/07/3-tips-for-serving-a-modx-site-over-ssl/

If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

email: [email protected] | website: https://andytough.com

☆ A M B ☆
113 Posts

pyrographics Reply #6, 5 years, 7 months ago

I typically do a search in the generated source code for http: which fixes mixed content. Also use .htaccess to force https and clear your site cache.

1,154 Posts

nuan88 Reply #7, 5 years, 7 months ago

Quote from: pyrographics at Aug 31, 2018, 03:05 PM

I typically do a search in the generated source code for http: which fixes mixed content. Also use .htaccess to force https and clear your site cache.

Yes that's good, and when the page loads you can see the bad calls in developer tools as well.

When I did this it was quite a struggle. How many times can it look ok, and then be broken the next morning? Many, many times as it turns out.

27 Posts

calvair Reply #8, 5 years, 7 months ago

thanks a lot for all your replies! Had quite a lot to do at work, so there's no time for my website. So I just got to read all your answers and will try my best fixing site now...

(of course I'll reply when it's done and working)

27 Posts

calvair Reply #9, 5 years, 7 months ago

It's a riddle...

I removed the protocoll in case I mentioned it before.
There is a chunk called footer in which I load the .js-files which are needed.

It used to be:

	<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
	<script type="text/javascript" async src="https://www.xyz.de/assets/components/js/bootstrap.min.js"></script>

I changed it to:

	<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
	<script type="text/javascript" async src="//www.xyz.de/assets/components/js/bootstrap.min.js"></script>

Well - it doesn't work - and to let me behind even more puzzled, the runtime analysis says

GET
https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js [HTTP/2.0 304 Not Modified 16ms]
GET
https://www.xyz.de/assets/components/js/bootstrap.min.js [HTTP/1.1 301 Moved Permanently 122ms]

(you can see the correct protocoll together with bootstrap.min.js) ...but later on in the same analysis it comes to

Loading of mixed content "http://xyz.de/assets/components/js/bootstrap.min.js" has been blocked.[more informations]xyz.de

So first it is correct, but later on it seems to be loaded again with only http:// - and this time it get's blocked so the bootstrap.min.js won't work at all.

There is only this unique call to load bootstrap.min.js in this chunk - it occurs in no other file of my site. In order to validate this I removed the line which calls the bootstrap.min.js - and the runtime analysis doesn't mention any bootstrap.min.js (so it's really the one and only call for bootstrap.min.js)

The insecure passive contents (like https://xyz.de/assets/components/pic/xyz_titel.jpg) are inside TVs with protocol-insensitive URLs like metioned in Mark Hamstras article (which I already read before posting my first post) - so I thought modx will do the part of using the right protocoll.

So I'm still in trouble ...

My .htaccess (at least the part which is relevant) reads like:

RewriteEngine On
RewriteBase /



# Rewrite www.domain.com -> domain.com -- used with SEO Strict URLs plugin
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^xyz\.de [NC]
RewriteRule (.*) http://xyz.de/$1 [R=301,L]
#
# or for the opposite domain.com -> www.domain.com use the following
# DO NOT USE BOTH
#
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^www\.example-domain-please-change\.com [NC]
#RewriteRule (.*) http://www.example-domain-please-change.com/$1 [R=301,L]



# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent 
# https://www.domain.com when your cert only allows https://secure.domain.com
 RewriteCond %{SERVER_PORT} !^443
 RewriteRule (.*) https://xyz.de/$1 [R=301,L]



# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

[ed. note: calvair last edited this post 5 years, 7 months ago.]

1,154 Posts

nuan88 Reply #10, 5 years, 7 months ago

Here is my htaccess about https

RewriteCond %{HTTP_HOST} piratelsat\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://piratelsat.com/$1 [R,L]

Answered Can't get rid off "mixed content" after switching to HTTPS