Problems with Login in OJS behind reverse proxy

cfreire1 · January 29, 2026, 8:59pm

Hi, I’m having problems with Login in and OJS installation which is behind a reverse proxy: I enter my login and password but login fails. My version of OJS is 3.3.0.14. The reverse proxy assures that every site in the domain has https

I’ve changed in file config.inc.php the values base_url, base_url[index], base_url[myJournal] to the public URL and everthing works fine, except for the fact that the pdfs content of my Journal where not rederend: I fix the problem changing the function getUrlBase in the file PKPRequest.inc.php as suggested in the Forum which solved the problem. However I can’t still login in OJS: I put my user and password correctly, but a message of Incorrect user or password is shown

Thank you in advance for any suggestion about how to solve the problem.

Camilo Freire

Sasuke_Chang · January 30, 2026, 8:44pm

You should probably use a .htaccess instead of redirect to https domains with a reverse proxy.

My journals (10+) are published behind a reverse proxy too, but all http request are redirected to https with a .htaccess.

Mybe you need configure a proxy server (the reverse proxy) in config.inc.php too.

marc · February 4, 2026, 11:37am

This post could be of your interest:

github.com/pkp/pkp-lib

Let OJS honor HTTP_X_FORWARDED_PROTO instead of trying to discover it

opened 06:40PM - 10 Mar 21 UTC

marcbria

Housekeeping:1:Todo

**Describe the problem you would like to solve** Over httpS, when you are beh…ind a reverse proxy/loadbalancer or on complex networks architectures OJS have some trouble to discover the right protocol and it could generate some different issues like: - Infinite redirection loops (ERR_TOO_MANY_REDIRECTS) - Mixed content (http & httpS). If httpS in forced in function `getProtcolol()` at "lib/pkp/classes/core/PKPRequest.inc.php" all problems are gone... **Describe the solution you'd like** This is supossed to be fixed with protocol relative URLs (allowProtocolRelative directive) but this is not yet full implemented in OJS... and (according to Alec) "We can't just enable protocol-relative URLs globally because of URLs that are delivered to outside mechanisms, e.g. API interactions, emails, etc." So an alternative (and also to make OJS more flexible) the easiest solution is letting OJS honor the protocol specified at HTTP_X_FORWARDED_PROTO (if exists) instead of keep asking about the protocol to SCRIPT_URI. It could be done here: https://github.com/pkp/pkp-lib/blob/c5f40d7d390d0aedb9a4f9063914652aa6e3dc6c/classes/core/PKPRequest.inc.php#L351 Adding a condition to check if "HTTP_X_FORWARDED_PROTO" exists, and if yes, set the protocol to be whatever you find in the variable. **What I tried?** In my specific case, the problem was a reverse proxy (traefik) converting http petitions to httpS, so I tried with: - base_url with http. - base_url with httpS. - base_url with relative protocol. - setting base_url[index] and/or [myJournal]. - setting base_url to relative protocol. - setting force_ssl to On. All cases except the last one, results in "Mixed content" due JS references. Last one (force_ssl) falls in an "infinite redirection loop" because "OJS sees an HTTP request (not knowing it’s coming from the reverse-proxy) and redirects the browser to the HTTPS location. So the browser makes a new request (using HTTPS as before) to the reverse-proxy resulting in a new HTTP request to the OJS backend which redirects to HTTPS again. And so on and so forth." When protcolo is forced to httpS in getProtocol() ("lib/pkp/classes/core/PKPRequest.inc.php") problems are gone... **Who is asking for this feature?** - System administrators with a complex architecture. - People installing their OJS in some hosting companies. - Docker based architectures... **Additional information** Variations of this same issue are described here: - https://forum.pkp.sfu.ca/t/ojs-3-2-0-ojs-generates-protocol-relative-urls-in-notification-e-mails/59688/16?u=marc - https://forum.pkp.sfu.ca/t/ojs-3-behind-reverse-proxy-how-to-achieve/25055/17 - https://forum.pkp.sfu.ca/t/ojs-https-configuration/6679 - https://forum.pkp.sfu.ca/t/force-ssl-on-leads-to-err-too-many-redirects/45169 - https://forum.pkp.sfu.ca/t/http-https-ssl-cloudflare-ojs-3-1-2-1-this-request-has-been-blocked/54650 And also in the following github issues: - https://github.com/pkp/pkp-lib/issues/1504 - https://github.com/pkp/pkp-lib/issues/5002 - https://github.com/pkp/pkp-lib/issues/7551 Example of mixed content: ![imagen](https://user-images.githubusercontent.com/2779168/110681098-b6d17a00-81d9-11eb-983c-376c1a8eeb93.png)

In short:

Try with this settings:
base_url[index] = https://foo.org/journalContext/index base_url[journalContext] = https://foo.org/journalContext trust_x_forwarded_for = On force_ssl = Off

If fails, be sure your virtualhost or htaccess includes:

Set SetEnvIf X-Forwarded-Proto "https" HTTPS=on.

In worst scenario, you will need to patch getProtocol() function.