We need some advice on setting up HTTPS. Our OJS installation is running behind NGINX.
SSL certificates are on NGINX (listening on port 443), while OJS is running on Apache2 (port 80). What we need is to make OJS pass correct links to its resources (either ‘//’ or ‘https’).
If we enable the appropriate option in the config.inc.php, we get infinite redirects.
The protocol is defined by the $_SERVER['HTTPS'] variable. If it is not ‘OFF’, OJS uses HTTPS and generates correct links. The problem is we cannot change this variable from NGINX. Usually some additional header is used in such cases, like X-HTTPS-Protocol. But OJS does not check such headers.
As a temporary measure, we have inserted $_SERVER['HTTPS'] = 'on' as a first line in the index.php.
But we think, there should probably be some option in config.inc.php, which would allow OJS to generate correct links AS IF it used HTTPS even if it works through HTTP.
Well, this guy with two thumbs and opinions on URL generation cringes at how tightly we couple our base_urls to output in internal links. I think internal links ought to reference relative paths whenever possible.
With this particular conversation, I’m reminded of the thread here:
@Ph_We, if your nginx proxy is only listening on 443, is it possible to have Apache listen only on 443 as well? You can used self-signed certificates to avoid additional cost. This also ensures end-to-end encryption for important things, link your user credentials. I think this would allow you to turn on “force_ssl” in config.inc.php.
I have the same setup as described above: Nginx enforcing ssl as reverse proxy before http apache. Changing getBaseUrl to allow protocol-relative links per default as described here, fixed all problems.
It seems, that you came to the conclusion that this is the better default anyways? Why is it not set on OJS 3.1?