I must be missing something obvious but I cannot install Joomla 3.6.5 on a site with SSL already in place due to mixed content.
I get the following in my browser console:
Mixed Content: The page at 'https://example.com/joomla/installation/index.php' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/joomla/installation/index.php'. This request has been blocked; the content must be served over HTTPS.
XMLHttpRequest cannot load http://example.com/joomla/installation/index.php. Failed to start loading.
Web searches for "Joomla Installation on SSL" and similar all generate pages that assume a search for how to introduce SSL AFTER installation.
Appreciate ideas on how to avoid having to switch off SSL just to install Joomla.
Turns out this is an issue related to SSL Termination using a reverse proxy such as Nginx and that this does not affect Apache given the way Joomla v3.6 is written to operate.
Firstly, a test of Joomla v3.7.x beta from GitHub as of 30 Dec 2016, appears to indicate that this is not an issue with that version. The version can be installed and operated without further intervention.
This was tested with proxy_set_header X-Forwarded-Proto $scheme;, discussed below, already in place but without the need to set live_site variable in configuration.php.
If you try to install on a site already secured with SSL and a strict transport policy etc, the installation will fail due to mixed content. This failure is triggered when you press "Next" after filling in the items for Step 1 of 3 for the installation.
Note that this is a silent failure and you will simply find that there is no response after pressing the "Next" button. The only way to know there has been an error, is to check your js console.
To get around this, you will have to do some hacking:
/Installation/template/js/installation.js,
change baseUrl = _base; to baseUrl =
_base.replace("http://","https://");Remember to clear your browser cache if you had already loaded the installation page before taking this action.
The installation folder is deleted after installation so this one-off hack is trivial.
Key thing is to remember NOT to set the force_ssl parameter in configuration.php or Global Configuration in the Joomla Admin. The default value of '0' doesn't mean use NONSSL as the wording may suggest, but to maintain the protocol used for the current request. See notes in /libraries/joomla/application/route.php.
live_site variable in configuration.php to
https://example.com/path/to/joomla fastcgi_param HTTPS "on"; in the location block
handing php(In order of most to least desirable approach)
live_site variable to
https://example.com/path/to/joomlaIn the location block handing php in Nginx,
proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Port $server_port;proxy_set_header X-Forwarded-HTTPS "on";Note that there are two versions of mod_rpaf around. The older, original version with a "0.6" version tag is most likely to be found after a web search.
While it works perfectly well for forwarding the Real IP from a reverse proxy, it does not do the other things needed here. The newer, independently developed one, forwards the Real IP, Real Port, and, Real Protocol.
Unfortunately, if installing using a package manager, you will almost certainly get the older version. So download from GitHub and install manually
live_site variable to
https://example.com/path/to/joomlaproxy_set_header X-Forwarded-Proto $scheme;SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on
in the relevant htaccess or conf filelive_site variable to
https://example.com/path/to/joomla/libraries/joomla/document/renderer/html/head.php, change $base = $document->getBase(); to $base = str_replace("http://", "https://", $document->getBase());In the location block handing php in Nginx, set proxy_set_header X-Forwarded-Proto $scheme;
This involves editing core Joomla files but as the next expected update is v3.7 where this issue appears resolved with the Nginx proxy_set_header directive in place, an upgrade should not result in any issues