Ojs 3 + nginx + https (ssl)

Hi!

We need some advice on setting up HTTPS. Our OJS installation is running behind NGINX.
SSL certificates are on NGINX (listening on port 443), while OJS is running on Apache2 (port 80). What we need is to make OJS pass correct links to its resources (either ‘//’ or ‘https’).
If we enable the appropriate option in the config.inc.php, we get infinite redirects.

The protocol is defined by the $_SERVER['HTTPS'] variable. If it is not ‘OFF’, OJS uses HTTPS and generates correct links. The problem is we cannot change this variable from NGINX. Usually some additional header is used in such cases, like X-HTTPS-Protocol. But OJS does not check such headers.

As a temporary measure, we have inserted $_SERVER['HTTPS'] = 'on' as a first line in the index.php.
But we think, there should probably be some option in config.inc.php, which would allow OJS to generate correct links AS IF it used HTTPS even if it works through HTTP.

Any advice would be much appreciated!

1 Like

Hi @Ph_We,

Have you tried force_ssl in config.inc.php? (I’m not sure whether this is the setting that causes infinite redirects.)

Would it be useful to have OJS present protocol-relative URLs (barring the use of another related setting like force_login_ssl)?

(Tagging @ctgraham, as he’s got opinions on reforming OJS’s URL generation behavior.)

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

Yes, we get infinite redirects when enabling force_ssl in config.inc.php.

Any kind of protocol detection would not help in our case. The only solution we came upon is to add $_SERVER['HTTPS'] = 'on' as a first line in the index.php.

So if there is no other way, we would rather welcome some option like Behind HTTPS proxy in config.inc.php, which would work in the same manner.

Thank you!

Well, this guy with two thumbs and opinions on URL generation cringes at how tightly we couple our base_urls to output in internal links. I think internal links ought to reference relative paths whenever possible.

With this particular conversation, I’m reminded of the thread here:
http://forum.pkp.sfu.ca/t/ojs-3-behind-reverse-proxy-how-to-achieve/25055

@Ph_We, if your nginx proxy is only listening on 443, is it possible to have Apache listen only on 443 as well? You can used self-signed certificates to avoid additional cost. This also ensures end-to-end encryption for important things, link your user credentials. I think this would allow you to turn on “force_ssl” in config.inc.php.

Hi @ctgraham,

Thanks for your answer.

Nope, unfortunately that is not possible at the moment((

Hi @ctgraham,

And generally, would you favour protocol-relative links unless something needs to force otherwise (e.g. login via SSL)?

Regards,
Alec Smecher
Public Knowledge Project Team

Aye, but protocol relative links are preempted by generally using relative links.

1 Like

Dear all!

I have the same setup as described above: Nginx enforcing ssl as reverse proxy before http apache. Changing getBaseUrl to allow protocol-relative links per default as described here, fixed all problems.

It seems, that you came to the conclusion that this is the better default anyways? Why is it not set on OJS 3.1?

Best,
Patrik Keller