joomla BASE HREF uses HTTP instead of HTTPS

StackOverflow https://stackoverflow.com/questions/19733229

Question

I wanted to change my site from http to https. Always.

So I configured my apache accordingly. Now when I enter the URL of my site (https://steamnet.de) it loads the index site fine but none of the referenced elements (CSS, images etc.)

It seems to me that it does so because the base href is set to http://steamnet.de/ and thous does not use https there. I have configured my firefox that it should not load mixed content.

So how can I tell Joomla to set the base href to https://steamnet.de (or otherwise make the site fully ssl?)

I tried to set the global ssl enforce element of joomla configuration ("SSL erzwingen" in german, $force_ssl in configuration.php) to "everything" but then the site breaks with infinite 303 error redirecting to itself. (As an afterthought: I was surprised to find a 303 instead of 301 here. If someone could explain that I would be grateful)

(Laoneo suggested some solutions, that did not work out, for completeness here is the list)

  1. configure $live_site to the https url.
  2. probe if changing $sef and $sef_rewrite helps.

The apache logs: access.log

91.42.221.000 - - [03/Nov/2013:12:41:25 +0100] "GET / HTTP/1.1" 303 4854 "-" "Mozilla/5.0 (Gecko) Firefox/64"
91.42.221.000 - - [03/Nov/2013:12:41:25 +0100] "GET / HTTP/1.1" 303 516 "-" "Mozilla/5.0 (Gecko) Firefox/64"
91.42.221.000 - - [03/Nov/2013:12:41:25 +0100] "GET / HTTP/1.1" 303 516 "-" "Mozilla/5.0 (Gecko) Firefox/64"

error.log contains nothing on access, but the following lines on reload

[Sun Nov 03 12:41:16 2013] [notice] Graceful restart requested, doing restart
[Sun Nov 03 12:41:16 2013] [error] (9)Bad file descriptor: apr_socket_accept: (client socket)
[Sun Nov 03 12:41:17 2013] [warn] RSA server certificate CommonName (CN) `Angelo Neuschitzer' does NOT match server name!?
[Sun Nov 03 12:41:17 2013] [notice] Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze17 with Suhosin-Patch proxy_html/3.0.1 mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
Was it helpful?

Solution

I'm sorry, but I don't think the current answer is really correct. This answer promotes a hack and goes around the problem. The next time you update Joomla, you'll have to update the core file, because it is going to be overriden.

Actually if we look in the code for JURI in getInstance we can see this:

// Determine if the request was over SSL (HTTPS).
if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off'))
{
        $https = 's://';
}
else
{
        $https = '://';
}

The question is why are there servers where $_SERVER['HTTPS'] is obviously not initialized. Although I can't tell you why, what I found out to work is adding this lines to the .htaccess file at the begining:

<IfModule mod_env.c>
   SetEnv HTTPS on
</IfModule>

By doing this $_SERVER['HTTPS'] seems to be initialised and Juri::current will return what we expect - an url starting with https.

OTHER TIPS

Check your *$live_site* variable in your configuration.php file and change it to your https address.

Attention: This is a hack. Please do test Daniel Dimitrovs answer first. If it works, please leave me a comment here.

I found a work around.

In the file includes/application.php I changed the following block

if($router->getMode() == JROUTER_MODE_SEF) {
   $document->setBase(JURI::current());
}

to:

if($router->getMode() == JROUTER_MODE_SEF) {
   $document->setBase(JURI::root());
}

I don't know why JURI::current() returns an http URL instead of a https but after that change the site works as expected.

CAREFUL: after that change the Administrator part was broken until I disabled force_ssl in configuration.php. I enforce SSL through my apache configuration so that was not a problem for me.

Removing the <base> tag altogether should solve your issues. You can do this in the index.php file of your template like this:

$doc = JFactory::getDocument();
unset($doc->base);

Since this is not a core hack, it will be upgrade-proof. However, if you use a template from a theme store, and choose to upgrade the template in the future, you may have to add the code back.

References:

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top