Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Secure pages (https) contain insecure links to Google library, e.g. <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
This is rather critical, because browsers like IE show nasty popup warnings.
Comment | File | Size | Author |
---|---|---|---|
#13 | advagg-https-1072812-13.patch | 975 bytes | mikeytown2 |
Comments
Comment #1
mikeytown2 CreditAttribution: mikeytown2 commentedthought I committed that change... well here to my first git commit.
Running this right now
So it might be a little while before I get the first patch out.
Created instructions for installing git on ubuntu.
http://drupal.org/node/1065850#ubuntu-install
Comment #2
mikeytown2 CreditAttribution: mikeytown2 commentedgrab the latest dev; just checked out the code and the fix is in there.
http://drupalcode.org/project/advagg.git/blob/refs/heads/6.x-1.x:/advagg...
Comment #3
Vacilando CreditAttribution: Vacilando commentedConfirming that the issue is fixed; thanks!
Comment #5
_-. CreditAttribution: _-. commentedreopening to continue the discussion a bit ...
with a different ssl topology -- nginx as ssl-handler @ my server's edge, backed by a varnish (faux) CDN and apache in non-ssl mode -- non-ssl google apis are being used.
my varnish conf includes,
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_set_header HTTPS on;
which does the trick for other modules that need to know we're an SSL site.
looking at advagg source,
...
$schema = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') | ...
...
i _thought_ should be sufficient.
something's still missing.
Comment #6
mikeytown2 CreditAttribution: mikeytown2 commentedI use the same code from the CDN module
http://drupalcode.org/project/cdn.git/blob/refs/heads/6.x-2.x:/cdn.modul...
http://drupalcode.org/project/advagg.git/blob/refs/heads/6.x-1.x:/advagg...
Let me know if you find anything else. Marking this as needs more info.
Comment #7
_-. CreditAttribution: _-. commentedhi.
fyi, i'm NOT using the CDN module. rather, I have Varnish configs splitting requests for css/js/etc to multiple apache backends.
re: "needs more info" ... what specifically can I provide?
Comment #8
mikeytown2 CreditAttribution: mikeytown2 commentedGood step would be a dump of the $_SERVER variable on your server when the page is accessed from a https address. The other bit of info that would be useful is what "other modules" are you using that change behavior when http/https.
Comment #9
_-. CreditAttribution: _-. commentedwith a little digging thru $_SERVER vars, it appears that nginx config of
proxy_set_header HTTPS on;
does NOT set
$_SERVER['HTTP']=on
, but rather, prepends the meta key (for all proxy_set_header vars?) with "HTTP_", so that,
$_SERVER['HTTP_HTTPS']=on
as I thinkg abt it, as the apache server itself is NOT serving https://, HTTPS=on would be, technically, incorrect in this scenario.
in any case, editing in,
advagg_js_cdn/advagg_js_cdn.module
- $schema = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) ? 'https' : 'http';
+ $schema = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO' || (isset($_SERVER['HTTP_HTTPS']) && $_SERVER['HTTP_HTTPS'] == 'on')] == 'https')) ? 'https' : 'http';
results, correctly, in,
script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"
^^^^^
i see no particular reason NOT to simply leave this in as is.
Comment #10
_-. CreditAttribution: _-. commenteda suggestion -
perhaps a preference in advagg, "Additional SSL $_SERVER['x]' vars, set by proxies: [_____________]", or some such, where you'd enter: "HTTP_HTTPS", e.g., in the case of nginx.
that way, no fooling around with trying to cover all possible vars ...
Comment #11
mikeytown2 CreditAttribution: mikeytown2 commentedSo your recommending adding an additional check for the HTTP_HTTPS variable, correct? Having a configurable variable to check would work... you can also do something like this in your settings.php file
I will add the HTTP_HTTPS check in later today.
Comment #12
_-. CreditAttribution: _-. commented> So your recommending adding an additional check for the HTTP_HTTPS variable, correct?
yep. as long as the check for any ONE var is sufficient ...
> Having a configurable variable to check would work...
great.
> you can also do something like this in your settings.php file
> if (isset($_SERVER['HTTP_HTTPS']) && $_SERVER['HTTP_HTTPS'] == 'on') {
> $_SERVER['HTTPS'] = 'on';
sure, but.
that's, then, telling your app (aka, Drupal) that the Apache server is mod_ssl enabled. which is not the case. i could see how that might cause other modules to make some incorrect choices (been awhile, but iirc, SecurePages was made 'unhappy' doing so ...)
in the case of advagg + this nginx-proxy-handling-the-ssl scenario, all one's really saying is: when using *external* libraries, reference the https:// links.
> I will add the HTTP_HTTPS check in later today.
much appreciated.
Comment #13
mikeytown2 CreditAttribution: mikeytown2 commentedcommitted this patch
Comment #15
glennpratt CreditAttribution: glennpratt commentedIf you have a SSL termination at some-point on your trusted network (IE Nginx SSL in front of Apache), then $_SERVER['HTTPS'] = on is entirely appropriate. That should be happening by Apache configs or settings.php catching the header and setting it to on.
Comment #16
pvanerk CreditAttribution: pvanerk commentedHi,
I have installed version 1.5 (in which the patch above is included) but I am still experiencing problems with the
in IE8. In Google Chrome and Firefox I don't have any problems.
When I switched of the advagg module everything is fine. However I need the module, because we have quite a couple of CSS sheets and IE messes up the themes when you have more than 31 css files.
When I open firebug I see the line
in the Script tab.
Any idea what further steps I can take?
With regards,
Comment #17
pvanerk CreditAttribution: pvanerk commentedOk, I had run the update.php after copying the new version. However, there was still some old stuff left behind I think. When I deslect the AdvAgg module, uninstall it in drupal and activate it again, everything was ok.