Habari doesn't support HTTPS natively?

[Neddy]

Hi,

I'd like to install/config Habari to run on HTTPS only, but I've did a research on Habari wiki and found nothing about HTTPS configuration. Surely my habari test page doesn't seem to recognize https fully. Should Habari support HTTPS easily? 

Thanks,

[Chris Meller]

There is nothing you have to configure for Habari to support HTTPS, as long as you have configured the web server running it properly. Just visit the HTTPS version of your site and everything should be fine.

--
--
To post to this group, send email to habari...@googlegroups.com
To unsubscribe from this group, send email to habari-users...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/habari-users
---
You received this message because you are subscribed to the Google Groups "habari-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to habari-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[188...@gmail.com]

Surely I can get web server's running https. But when looking at Habari installer, it doesn't seems to know I'm using https as you tell: http://i.imgur.com/fQUMQV5.png

[Chris Meller]

I've run the installer over HTTPS before, so I don't think that's the problem.

I know in nginx the HTTPS server variable doesn't get set natively in some configurations, so PHP (and therefore Habari) doesn't know that it should generate HTTPS URLs... I've never used ATS, so I have no clue if that could be the problem here or not.

Can you create a new file on your server called test.php and put in it: <?php var_dump($_SERVER); ?>

Load it up over HTTPS and take a screenshot of the output.

[188...@gmail.com]

Apache TrafficServer (ATS) is a SSL terminal, Habari is on httpd server behind it.

[Chris Meller]

That explains it. The issue here is that Habari looks for the $_SERVER['HTTPS'] header that indicates an SSL connection is in use. Since the box Habari runs on *isn't* actually using SSL for the connection, httpd doesn't set the value.

I'm sure there is a way to fake the HTTPS header with mod_headers or one of the other modules, but I don't have any Apache boxes I can easily test it on today.

[188...@gmail.com]

Isn't there any simpler solution? Or isn't nobody using reverse HTTPS proxy here?

I assume if the static files aren't absolute, perhaps there's no problem. It shouldn't care about what's kind of client request, is it HTTP or HTTPS. Or at least Wordpress doesn't have to modify headers to support HTTPS. 

I hope Habari project will look forward for SSL support smoothly.

Sincerely.

[Chris Meller]

I've not looked at the Wordpress code for generating URLs in a very long time, but I don't know how they could possibly automatically know to generate SSL URLs for every request in the setup you have - the requests are *not* coming in as SSL as far as the web server hosting the code is concerned.

I've set up an identical infrastructure before, but I use Nginx rather than Apache, so I can't be much help on the specifics for your implementation. That said, you took the time to set up an SSL concentrator in front of presumably a cluster of individual web servers, so you're definitely a non-standard user. I'm sorry I couldn't provide you the exact line to include in your config, but it does strike me as odd that you'd go through all that effort and then not be willing to spend 10 minutes testing to find the right line to add to your config.

Sorry we didn't live up to your expectations, we'll try to do better in the future.

[spi...@takeit.se]

Since I had the same issues here but with different software stack:
   nginx acting as an SSL terminating proxy, in front of Varnish (http cache) in front of Apache (application server)

The solution is to add the following three lines to the apache config for the SSL subdomain:
        <IfModule mod_env.c>
                SetEnv HTTPS on
        </IfModule>

You might also have to modify a few themes. Wazi for example links fonts on http:// protocols, rather than linking to //fonts.googleapis.com    which would be protocol agnostic.

Hope this helps for future people looking for a solution.
Regards,
  D.S.

[Chris Meller]

Thanks for this. We should probably stick that config somewhere on the wiki (where it will never be heard from again, mwahaha). I’ll create an issue about the Wazi fonts, it should definitely be using protocol agnostic URLs for anything that is hard coded.