Can't get rid off "mixed content" after switching to HTTPS - My Forums

Can't get rid off "mixed content" after switching to HTTPS

calvair — Aug 26, 2018, 06:35 PM

Hi,

I'm pretty lost with moving our site from http to https.

In late july our site got hacked - not via modx, but via a Wordpress-Installation which happened to be on the same server.
I restored our site, updated to 2.6.5-pl - all went pretty fine - and after that I made the switch from http:/ to https:/ in order to meet the requirements to be GDPR-safe

Now Firefox and chrome keep saying there's mixed content and thus the site isn't displaying as it should.

What I did in order to switch to https after I got the "let's encrypt"-SSL-certificate installed by my webprovider:

Activated the ssl-part in .htaccess
Changed "site_url" in MySQL-table "_context_setting" to "https://chorphilharmonie.de"
Changed system setting "server_protocol" to https
Changed system setting "link_tag_scheme" from "-1" to "https"

Now neither bootstrap.min.js will load (I already switched the URL in my template from relative path to absolute including "https://" - but even this doesn't help" nor serveral pictures.
All paths to images are made relative in my templates / TVs, the paths are correct (so I don't understand the 301 either)

Any idea what's still wrong or where I should look after?

Runtime-analysis in firefox' developer tools says like follows:

GET
https://xyz.de/ [HTTP/1.1 200 OK 144ms]
GET
https://xyz.de/bootstrap.css [HTTP/1.1 200 OK 141ms]
GET
https://xyz.de/bootstrap-helper.css [HTTP/1.1 200 OK 151ms]
GET
https://xyz.de/owl.carousel.css [HTTP/1.1 200 OK 197ms]
GET
https://xyz.de/fontawesome.min.css [HTTP/1.1 200 OK 171ms]
GET
https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js [HTTP/2.0 304 Not Modified 16ms]
GET
https://www.xyz.de/assets/components/js/bootstrap.min.js [HTTP/1.1 301 Moved Permanently 122ms]
Mixes(insecure) display content from "https://xyz.de/assets/components/pic/xyz_head.png" loading on a secure site [more informations]xyz.de
GET
https://www.xyz.de/assets/components/pic/xyz_head.png [HTTP/1.1 301 Moved Permanently 186ms]
Mixed (insecure) display content from "https://xyz.de/assets/components/pic/xyz_titel.jpg" loading on a secure site[more informations]xyz.de
GET
https://www.xyz.de/assets/components/pic/xyz_titel.jpg [HTTP/1.1 301 Moved Permanently 184ms]
Mixed (insecure) display content from "https://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png" loading on a secure site[more informations]xyz.de
GET
https://www.xyz.de/assets/components/pic/Logo_notenschlu%CC%88ssel.png [HTTP/1.1 301 Moved Permanently 185ms]
Laden von gemischten aktiven Inhalten "http://xyz.de/assets/components/js/bootstrap.min.js" wurde blockiert.[more informations]xyz.de
Mixed (insecure) display content from "http://xyz.de/assets/components/pic/xyz_titel.jpg" loading on a secure site[more informations]xyz.de
Mixed (insecure) display content from "http://xyz.de/assets/components/pic/xyz_head.png" loading on a secure site[more informations]xyz.de
Mixed (insecure) display content from "http://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png" loading on a secure site[more informations]xyz.de
GET
http://xyz.de/assets/components/pic/xyz_titel.jpg [Mixed content]
[HTTP/1.1 301 Moved Permanently 33ms]
GET
http://xyz.de/assets/components/pic/xyz_head.png [Mixed content]
[HTTP/1.1 301 Moved Permanently 35ms]
GET
http://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png [Mixed content]
[HTTP/1.1 301 Moved Permanently 35ms]
GET
https://xyz.de/assets/components/pic/xyz_titel.jpg [HTTP/1.1 304 Not Modified 54ms]
GET
https://xyz.de/assets/components/pic/xyz_head.png [HTTP/1.1 304 Not Modified 56ms]
GET
https://xyz.de/assets/components/pic/Logo_notenschlu%cc%88ssel.png

Re: Can't get rid off "mixed content" after switching to HTTPS

hqnqne q;r — Oct 06, 2018, 05:36 PM

This was incredibly helpful, appreciate the step by step descriptions!

Re: Can't get rid off "mixed content" after switching to HTTPS

nuan88 — Oct 06, 2018, 01:34 PM

Yes and if it breaks again go back and put the www back in...it will get stable eventually

Re: Can't get rid off "mixed content" after switching to HTTPS (Best Answer)

calvair — Oct 01, 2018, 06:16 PM

Finally...

it was easier as I thought (but due to my work I wasn't able to spend much time to solve it)...

the adress for example for the javascript was given like "//www.url.de/components/js/script.js". I deleted "www", and now it works like expected...

Thanks for all your replies!

Re: Can't get rid off "mixed content" after switching to HTTPS

andytough — Sep 11, 2018, 04:06 PM

Quote from: kudratello at Sep 11, 2018, 03:49 PM

I am having the same issue on when trying to send contact-form using ajax and all my svg files giving following error:

Failed to load /images/technologies/laravel.svg: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example.com' is therefore not allowed access.
(index):1

but all other things working correct

These documents might help with your issue. It is not something I have personally had to deal with before, but I understand there can be CORS issues with SVG files and Javascript.

https://oreillymedia.github.io/Using_SVG/extras/ch10-cors.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

Re: Can't get rid off "mixed content" after switching to HTTPS

kudratello — Sep 11, 2018, 03:49 PM

I am having the same issue on when trying to send contact-form using ajax and all my svg files giving following error:

Failed to load /images/technologies/laravel.svg: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example.com' is therefore not allowed access.
(index):1

but all other things working correct

Re: Can't get rid off "mixed content" after switching to HTTPS

nuan88 — Sep 10, 2018, 07:54 PM

Here is my htaccess about https

RewriteCond %{HTTP_HOST} piratelsat\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://piratelsat.com/$1 [R,L]

Re: Can't get rid off "mixed content" after switching to HTTPS

calvair — Sep 09, 2018, 07:47 PM

It's a riddle...

I removed the protocoll in case I mentioned it before.
There is a chunk called footer in which I load the .js-files which are needed.

It used to be:

I changed it to:

Well - it doesn't work - and to let me behind even more puzzled, the runtime analysis says

GET
https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js [HTTP/2.0 304 Not Modified 16ms]
GET
https://www.xyz.de/assets/components/js/bootstrap.min.js [HTTP/1.1 301 Moved Permanently 122ms]

(you can see the correct protocoll together with bootstrap.min.js) ...but later on in the same analysis it comes to

Loading of mixed content "http://xyz.de/assets/components/js/bootstrap.min.js" has been blocked.[more informations]xyz.de

So first it is correct, but later on it seems to be loaded again with only http:// - and this time it get's blocked so the bootstrap.min.js won't work at all.

There is only this unique call to load bootstrap.min.js in this chunk - it occurs in no other file of my site. In order to validate this I removed the line which calls the bootstrap.min.js - and the runtime analysis doesn't mention any bootstrap.min.js (so it's really the one and only call for bootstrap.min.js)

The insecure passive contents (like https://xyz.de/assets/components/pic/xyz_titel.jpg) are inside TVs with protocol-insensitive URLs like metioned in Mark Hamstras article (which I already read before posting my first post) - so I thought modx will do the part of using the right protocoll.

So I'm still in trouble ...

My .htaccess (at least the part which is relevant) reads like:

RewriteEngine On
RewriteBase /



# Rewrite www.domain.com -> domain.com -- used with SEO Strict URLs plugin
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^xyz\.de [NC]
RewriteRule (.*) http://xyz.de/$1 [R=301,L]
#
# or for the opposite domain.com -> www.domain.com use the following
# DO NOT USE BOTH
#
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^www\.example-domain-please-change\.com [NC]
#RewriteRule (.*) http://www.example-domain-please-change.com/$1 [R=301,L]



# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent 
# https://www.domain.com when your cert only allows https://secure.domain.com
 RewriteCond %{SERVER_PORT} !^443
 RewriteRule (.*) https://xyz.de/$1 [R=301,L]



# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

Re: Can't get rid off "mixed content" after switching to HTTPS

calvair — Sep 09, 2018, 05:51 PM

thanks a lot for all your replies! Had quite a lot to do at work, so there's no time for my website. So I just got to read all your answers and will try my best fixing site now... (of course I'll reply when it's done and working)

Re: Can't get rid off "mixed content" after switching to HTTPS

nuan88 — Sep 04, 2018, 06:47 PM

Quote from: pyrographics at Aug 31, 2018, 03:05 PM

I typically do a search in the generated source code for http: which fixes mixed content. Also use .htaccess to force https and clear your site cache.

Yes that's good, and when the page loads you can see the bad calls in developer tools as well.

When I did this it was quite a struggle. How many times can it look ok, and then be broken the next morning? Many, many times as it turns out.