Answered HTTPS access to a HTTP site builds absolute https links for internal resource links and caches them? Is this a known issue?

I am going to test this issue thoroughly, however I now think this is the root cause: https://github.com/modxcms/revolution/issues/6034

Something smelled familiar when looking through the repo issues, and I'm frankly shocked it was closed with little serious discussion.

Please skip down to this post to see the issue in a very simple context:

https://forums.modx.com/thread/101921/https-access-to-a-http-site-builds-absolute-https-links-for-internal-resource-links-and-caches-them-is-this-a-known-issue#dis-post-549533

I am working on a MODX 2.3.3 site trying to solve a very odd issue assumed to be with the internal URL creation.

I have a reference to the site_url uncached for the base href. If I access the site via HTTPS the site_url shows as https, pretty much expected.

The issue is if someone accidentally accesses the site via HTTPS, MODX seems to cache some of the relative links as https; meaning there is a situation where the site is being accessed via HTTP, but some of the internal links on the page are absolute https, and following them results in cert warnings. Basically, an erroneous https link to the site can cause other users to be served https pages.

This doesn't affect wayfinder links, presumably because they are all uncached?

Is this a configuration issue? Are resource links supposed to be cached? Any idea on how to rectify this easily?

IF this is an internal link building issue, would setting the default scheme (link_tag_scheme) to 0 be the solution? Are there any downsides to this besides locking down the site to http only?

Any other theories on causes would also be welcome. Investigating it has proven nearly impossible. One thing to note is that I have had reports that some people arrive on the site via the address bar, first time visitors, and also get served via https, which might contradict the URL scheme theory. [ed. note: johnnyp last edited this post 7 years, 1 month ago.]

What do you have in your .htacess file? If you have an SSL certificate then wouldn't it make sense to force HTTPS anyway?

Quote from: lkfranklin at Mar 20, 2017, 04:00 PM

What do you have in your .htacess file? If you have an SSL certificate then wouldn't it make sense to force HTTPS anyway?

Apache simply rewrites to http://site.com

There is no SSL for general site access, and no interest in using it. I have informed client of SEO gain, user friendliness etc, but understandably they feel they don't need it.

Fair enough - try adding this to your htaccess



If it doesnt work please post up your htaccess file (omit the domain)

Rewriting doesn't change the fact the page gets served via https.

htaccess is simply rewriting all subdomains to http://site.com and also handling FURLs.

I feel this issue is definitely with the way MODX is building the URLs. If I invert the issue by requesting via HTTPS and view the cached links, they DONT have https, so they are not relative to the base href or site url. [ed. note: johnnyp last edited this post 7 years, 1 month ago.]

This makes less and less sense the more I look into it.

I can now see a vanilla home resource link [[~1]] with scheme -1 (set in config) with HTTPS:// while the site_url returns HTTP:// on the same page...

I've attached a screenshot of the base url (site_url, uncached) and the href of [[~1]] to show that I'm not making this up (I know the issue sounds borderline stupid).

[ed. note: johnnyp last edited this post 7 years, 1 month ago.]

Do you have a rule in .htaccess that converts the protocol to https?

This is one way:

Hey Bob,

No, the htaccess file has no https specific rules. Nothing on the site is using https except some third party resources.

What do you have in system settings for server_protocol?
Do you have multi contexts on the site?
Or any extras like redirectoid or anything else that could be writing the rule?

http server protocol, no extra contexts, and no special extras.