SSL with canvas nginx and unicorn

[Aurelien Petit]

Hello,

I implemented a ssl connection for my canvas LMS application.The configuration of the canvas, nginx and unicorn was straightforward but I am currently facing issues that blocks the application. I went through some posts about SSL with canvas but I didn't see similar issues so far, so if there are some wise advice please share.

Here is the issue I having:

Mixed Content: The page at 'https://mydomain.com/accounts/2/users' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://mydomain.com/courses'. This endpoint should be made available over a secure connection.
common-267d973437.js:19 Download the React DevTools for a better development experience: http://fb.me/react-devtools
common-267d973437.js:3 Mixed Content: The page at 'https://mydomain.com/accounts/2/users' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mydomain.com/accounts/2/users'. This request has been blocked; the content must be served over HTTPS.

And here are my configuration files:

For domain.yml:

production:

  domain: mydomain.com

  ssl: true

for my nginx configuration file:

upstream unicorn_lms {

  server unix:/tmp/unicorn.my_app_production.sock fail_timeout=0;

}

server {

    listen         80;

    server_name mydomain.com;

    return 301 https://$host$request_uri;

}

server {

  listen 443;

  ssl on;

  ssl_certificate /etc/nginx/ssl/lms-server.pem;

  ssl_certificate_key /etc/nginx/ssl/lms.key;

   
  server_name www.mydomain.com mydomain.com;

  access_log /var/log/nginx/access.log combined;

  error_log /var/log/nginx/error.log;

  root /home/deploy/canvas/my_app_production/current/public;

  if (-f $document_root/system/maintenance.html) {

    return 503;

  }

  error_page 503 @maintenance;

  location @maintenance {

    rewrite  ^(.*)$  /system/maintenance.html last;

    break;

  }

  location ^~ /assets/ {

    gzip_static on;

    expires max;

    add_header Cache-Control public;

  }

  try_files $uri/index.html $uri @unicorn_lms;

  location @unicorn_lms {

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header Host $http_host;

    proxy_redirect off;

    proxy_pass http://unicorn_lms;

  }  

  error_page 500 502 503 504 /500.html;

  client_max_body_size 4G;

  keepalive_timeout 10;

  if (-f $document_root/system/maintenance.html) {

    return 503;

  }

  error_page 503 @maintenance;

  location @maintenance {

    rewrite  ^(.*)$  /system/maintenance.html last;

    break;

  }

}

I already did some applications using SSL and this is basic nginx SSL implementation, also i hope I didn't do any mistake.

I already had  similar issues before but it was because some assets were coming from a not secure connection, however this time the message show that the endpoints itself is not secure...

I did a search through my source code using

grep -Ril "http://mydomain.com" current/

trying to found if the deployment didn't generate some global variable or hard coded url in the code but no result.

The only thing left is the DB itself, just hope I won't have to change things there.

Any comments, advises?

Many thanks,

Aurelien

[Christopher Bennell]

Try adding the following to your nginx config, below the X-Forwarded-For line: 

    proxy_set_header      X-Forwarded-Ssl on;

    proxy_set_header      X-Forwarded-Proto https;

[Aurelien Petit]

Thank you Christopher,

Turned out that nginx was doing some weird redirection loop. I fixed the issue by adding this line

proxy_set_header X-Forwarded-Proto $scheme;

So  a good nginx/unicorn configuration that works for me with SSL is:

upstream unicorn_lms {

  server unix:/tmp/unicorn.my_app_production.sock fail_timeout=0;

}

server {

    listen         80;

    server_name mydomain.com;

    return 301 https://$host$request_uri;

}

server {

  listen 443;

  ssl on;

  ssl_certificate /etc/nginx/ssl/lms-server.pem;

  ssl_certificate_key /etc/nginx/ssl/lms.key;

 

    ssl_protocols SSLv2 SSLv3 TLSv1;

    ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;  
  server_name www.mydomain.com mydomain.com;

  access_log /var/log/nginx/access.log combined;

  error_log /var/log/nginx/error.log;

  root /home/deploy/canvas/my_app_production/current/public;

  if (-f $document_root/system/maintenance.html) {

    return 503;

  }

  error_page 503 @maintenance;

  location @maintenance {

    rewrite  ^(.*)$  /system/maintenance.html last;

    break;

  }

  location ^~ /assets/ {

    gzip_static on;

    expires max;

    add_header Cache-Control public;

  }

  try_files $uri/index.html $uri @unicorn_lms;

  location @unicorn_lms {

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_set_header Host $http_host;

    proxy_redirect off;

    proxy_pass http://unicorn_lms;

  }  

  error_page 500 502 503 504 /500.html;

  client_max_body_size 4G;

  keepalive_timeout 10;

  if (-f $document_root/system/maintenance.html) {

    return 503;

  }

  error_page 503 @maintenance;

  location @maintenance {

    rewrite  ^(.*)$  /system/maintenance.html last;

    break;

  }

}

Hopping this can be useful for some others in the future,

Thank you

Aurelien