CMS with SSL check complain site is insecure when it isn't



  • Some CMS come with an internal SSL check.
    They give me problems with my HaProxy config, complaining the site wasn't secure.

    To a visitor, my sites' URLs are https alright.
    The webservers with the CMS on the backend machines, however, actually use http on port 80.

    That's for instance why Moodle CMS constantly throws messages about how the site is insecure when it actually isn't.

    I'm trying to find a practicable way of solving this via pfsense HaProxy settings, since tinkering with each CMS's config is tiresome.

    Any suggestions welcome.

    What I've tried so far:
    I've adapted the CMS config as follows, but to no avail.

    • $CFG->sslproxy = true;
      --> "Coding error detected, it must be fixed by a programmer: Must use https address in wwwroot when ssl proxy enabled!"
      AND/OR
    • $CFG->reverseproxy = true;
      --> "Reverse proxy enabled, server can not be accessed directly, sorry. Please contact server administrator."

    My HaProxy settings in a nutshell:

    • HaProxy, Acme cert
    • Shared frontend, forwardfor option.
    • Backends use 'Forward to' with Class-C IP + 443.


  • I wonder who can wrap their head around this.. -
    Please check out this site to see what I mean
    (and click into the password field at login)
    https://moodle.12bfree.com

    The backend vm meanwhile has Apache2 listening on port 443.
    No change in behaviour.
    --> The password field still proclaims: "This connection is not secure"

    Any ideas, please?



  • @tn1rpi3 said in CMS with SSL check complain site is insecure when it isn't:

    Any ideas, please?

    I guess, yes.

    My browser (Firefox) complains that "some elements on your login page are not using https".

    A page inspection shows many src="http://moodle.12bfree.com/.... URL used by java scripts ..... that not good at all.
    Something in your CMS isn't setting the correct URL's, it default to http:// or the site is accessed by https://



  • @Gertjan

    @Gertjan said in CMS with SSL check complain site is insecure when it isn't:

    Something in your CMS isn't setting the correct URL's

    The CMS's config.php allows for setting wwwroot-> https://... after install.
    But when I do, the result is a redirect loop and the site turns inaccessible..
    No matter how I look at it, I cannot think of a way to solve this via HaProxy.



  • Never used HAProxy, neither the CMS that you didn't mention, so ... what to say ?

    This is what I would do :
    Install a known working CMS. Like Wordpress (takes 5 minutes ?!).
    That is, never used Wordpress behind a proxy ... don't even know if it would work behind a proxy.

    If it works : it's your CMS.
    If it doesn't : at least you know it's probably HAProxy.

    edit : Google tries to tell me it works : https://wordpress.org/support/topic/access-wp-admin-page-behind-haproxy/ (many references).
    So, test with WP and you'll see.

    It's a 'settings' question - if supported.



  • @Gertjan Yeah, never mind. I'm taking it up with one of the CMS developers.

    Actually, I've used the CMS in question for almost a decade now.
    The problems began when I first used it behind HaProxy after they implemented the SSL-check..

    Anyway, thanx for your input.


Log in to reply