Attachment upload and "mixed content" error / ssl

  • We’re using xwiki 6.4.4 into Jetty through apache as reverse proxy / ProxyPass with http connector between apache and Jetty. (same issue on tomcat btw)
  • on the public side, we access our website using HTTPS, as https://my.site.org/
  • The wiki’s descriptor “secure” checkbox is checked in.

In this configuration, when uploading an attachment, after the file is uploaded we get a red error “An error occurred while uploading XXX”. And the following error appears in firebug’s console : "Blocage du chargement du contenu mixte actif (mixed active content) « http://my.site.org/bin/get/wiki/?xpage=attachmentslist&forceTestRights=1 »

Which tell us xwiki try to call a non-https URL, which is unexpected.

Besides the error message, I notice the file is uploaded correctly.

When I switch to AJP protocol (on Tomcat rather Jetty because ajp support has been dropped in Jetty 9), the error goes away. Of course no error when trying to reproduce directly on Jetty internal web server. My goal here is to make the thing to work on apache thru Jetty/HTTP connector : is anyone have magical idea ?

Hi mhow2,

Mixed content blocking is a security feature that is controlled by the browser, and not the web server (see Mixed content blocking in Firefox | Firefox Help).

I found an issue related to the problem you describe here : Loading.... Have you tried updating your xwiki.cfg in order to set the correct protocol that should be used by the platform (xwiki.url.protocol=https) ?

Thanks,

Thanks !

That settings xwiki.url.protocol is currently not set on my instance because as stated in the config file : “The right value is taken from the request URL, so setting this is not recommended in most cases.

As I am requesting in https, I expect the wiki to handle everything within https protocol.

But maybe there is a bug somehow.
I’ll try to set it , it shouldn’t impact our production as we don’t serve any wiki on regular http anymore.

Tried it, doesn’t solve the issue unfortunately :frowning:
We also noticed that getURLFactory() returns http instead of https

When using Nginx and Tomcat with https you have to make some modifications to the Tomcat configuration, see http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat#Hhttps28secure29
You might have to do something similar for Jetty. Unfortunately I don’t know how. I found this in the old(?) Jetty documentation. Maybe it helps: The Eclipse Jetty Project :: Eclipse Jetty

@Johannes : you made my day by introducing that new material :slight_smile:

This is what was missing in apache/jetty config:

in apache:

RequestHeader set X-Forwarded-Proto https

in jetty (at least in v9.4), you have to run :

$ start.jar --add-to-start=http-forwarded

It adds a related section in start.ini (or start.d depending on the usage). Defaults values are ok.
Then restart jetty and reload apache.

1 Like