Mixed content error when using github pages with custom domain - ssl

I'm hosting my git-hub pages website (peps09791.github.io) using a custom domain (https://thebotspeaks.com) with Cloudflare.
To enable HTTPS, I have done the following configurations:
In my _config.yaml file
I have set the URL key accordingly
url: "https://peps0791.github.io"
From my cloudFlare dashboard, I have enabled option of HTTPS rewrites to prevent mixed content error.
I have also enabled Flexible SSL from CloudFlare.
I haven't enabled default HTTPS-redirection because the website breaks over HTTPS. On HTTP, it works fine.
Right now, when I try to access my website using HTTPS, I get mixed content error:
Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure image 'http://thebotspeaks.com/assets/images/bio-photo.jpg'. This content should also be served over HTTPS.
09:54:45.323 (index):1 Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://thebotspeaks.com/assets/css/main.css'. This request has been blocked; the content must be served over HTTPS.
09:54:45.785 (index):1 Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure script 'http://thebotspeaks.com/assets/js/main.min.js'. This request has been blocked; the content must be served over HTTPS.
From console, I can see this:
<script src="https://peps0791.github.io/assets/js/main.min.js"></script>
<link rel="stylesheet" href="https://peps0791.github.io/assets/css/main.css">
How do I resolve this issue?

The problem here is that your assets (i.e. your CSS or JavaScript) are redirecting to the HTTP version of your site. This is because your assets are referencing directly to your GitHub site instead of the Cloudflare-enabled domain.
For example; your HTML references your CSS files at https://peps0791.github.io/assets/css/main.css instead of https://thebotspeaks.com/assets/css/main.css
In order to fix this it looks like you'll need to update your _config.yaml file to have the following URL key:
url: "https://thebotspeaks.com"
More general advice on fixing a variety of Mixed Content issues can be found in the following article on the Cloudflare Knowledge Base: How do I fix the SSL Mixed Content Error Message?

Adding this helped me to deal with the Mixed Content error on GitHub pages on a custom domain secured with enabled HTTPS:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Apparently for me. The website inside CNAME file in Github repo did NOT had https prefix. So I added https://. and it worked.
Cheers
P.S: Fixed this problem after 1 year, can you believe.

Related

How to handle "non-https" (http) sites in https TYPO3 backend

We run a TYPO3 multidomain system and added https support to our TYPO3 domain [typo3domain]. All other domains still run without https support (http only).
https works perfect for [typo3domain].
Redirect of all non https request to TYPO3 backend (lockSSL) works perfect as well. [typo3domain]/typo3 redirects automatically to https://[typo3domain]/typo3
Now our problem:
If a editor [domain1] edits some content on https://[typo3domain]/typo3 and goes to page -> view page then https://[domain1] is called, but this does not work (invalid certificate), because [domain1] is a non ssl domain.
How can i fix this?
You can set the preview domain in the root page TSconfig of the non-https sites, including the protocol:
TCEMAIN.previewDomain = http://domain1
More on this option can be found here: https://docs.typo3.org/typo3cms/TSconfigReference/PageTsconfig/TceMain.html#previewdomain

SSL for relative paths?

I noticed when accessing a site using HTTPS I get errors in the JS console when trying to include CSS or JS files from a relative path such as this:
<link rel="stylesheet" type="text/css" href="css/demo.css?id=14" />
Mixed Content: The page at 'https://mysiste.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://mysiste.com/css/demo.css?id=14'. This request has been blocked; the content must be served over HTTPS.
What's the ideal solution for this scenarios?
Should I just force all the HTTP accesses to be redirected to HTTPS?
Or is there a way to tell the server to serve all relative paths using HTTPS?
Relative links will use the protocol and host from the base URL. The base URL is usually the one which can be seen in the URL bar. But it is possible to change the base URL explicitly using the base tag.
This means if you have a base URL with http as protocol set in your page it will still use http instead of https even though you've accessed the site with https and the reference is relative, i.e. like this:
<base href="http://example.com/">
To fix it either remove the base tag or change it to use https instead of http:
<base href="https://example.com">

Mediawiki can't load CSS if SSL is enabled

There is an http:// hardcoded somewhere in mediawiki codebase, causing these errors. Can't find out, what.
Index:13 Mixed Content: The page at 'https://xy/Index' was loaded over HTTPS, but requested an insecure stylesheet 'http://xy/load.php?debug=false&lang=hu&modules=mediawiki.legacy.co…face%7Cmediawiki.ui.button%7Cskins.vector.styles&only=styles&skin=vector&*'. This request has been blocked; the content must be served over HTTPS.
Index:1 Mixed Content: The page at 'https://xy/Index' was loaded over HTTPS, but requested an insecure script 'http://xy/load.php?debug=false&lang=hu&modules=startup&only=scripts&skin=vector&*'. This request has been blocked; the content must be served over HTTPS.
In your mediawiki folder, there's a file named LocalSettings.php
You need to edit that file and change $wgServer value from http:// to https://

Is it possible to change the base url in mod_pagespeed to use https

We are using Google PageSpeed module running on Apache, it is possible to configure it so that the base url uses https?
It currently outputs the following.
<noscript>
<meta HTTP-EQUIV="refresh" content="0;url='http://example.com/?ModPagespeed=noscript'" />
<style><!--table,div,span,font,p{display:none} --></style>
<div style="display:block">Please click here if you are not redirected within a few seconds.</div>
</noscript>
It should be https://example.com - It there a setting inpagespeed.conf to correct this?
It turns out that the site was running behind a load balancer. All HTTPS requests were forwarded via HTTP. To correct the issue we needed to set
ModPagespeedRespectXForwardedProto on
The documentation for https support explains the process.

Contao CMS error with https - 404 error

Morning
I have a domain, www.example.com, which is a Contao 3.1.3 CMS website on Linux Apache.
I have just purchased and installed SSL certificate for the domain.
When I go to https://www.example.com (or https://example.com) all works fine.
when I try one of the other pages on the domain, http://www.example.com/folder/page.html all is fine, but with https://www.example.com/folder/page.html
, I get an error:
The requested URL /folder/page.html was not found on this server.
This does not happen with pages in the admin area, which all appear fine via https
Console log shows:
Failed to load resource: the server responded with a status of 404 (Not Found)
What is the solution to make all pages appear ok under https
I tried this: https://community.contao.org/de/showthread.php?43595-SSL-und-Contao
but it didn't help
I also checked https://www.sslshopper.com/ssl-checker.htm to see if the error is with the ssl certificate, but no problems found there.
Jez D
Problem cannot be on the SSL. From your explanation I would suggest you play around with disabling folder urls and url rewrite in the settings. Then make sure the page exists. I am sure from here you will be able trace down the problem.
Make sure also in the root page, the 'domain' field is on https if its set.
You can restore your folder and url rewrite settings when all is well
The issue was actually with the directives on the virtual server.