Hash character in URL breaks SSL


#1

Hi all,

i have an SSL issue with the news app. It seems to be not an github issue. So they told me to ask here.
Any idea what could be wrong with my setup?

Steps to reproduce

  1. Start with a default NC URL and login (URL https://mycloud.mydomain.de/index.php/apps/files/ <-- SSL OK)
  2. Select News App (URL https://mycloud.mydomain.de/index.php/apps/news/ <-- SSL OK)
  3. After loading the news APP the URL changes to: https://mycloud.mydomain.de/index.php/apps/news/#/items <-- SSL broken!

It looks like the hash character in the URL breaks the SSL

The certificate is an let’s encrypt one.

Server configuration detail

Operating system: FreeBSD 10.3-RELEASE-p17 hostBSD 10.3-RELEASE-p17

Webserver: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.2k mod_fcgid/2.3.9 (cgi-fcgi)

Database: mysql 5.6.35

PHP version: 7.0.16
Modules loaded: Core, date, libxml, pcre, Reflection, SPL, hash, session, cgi-fcgi, standard, apcu, calendar, ctype, curl, dom, fileinfo, filter, ftp, gd, gettext, mysqlnd, iconv, intl, imagick, imap, json, mbstring, mcrypt, mysqli, openssl, PDO, posix, SimpleXML, sqlite3, tokenizer, xml, xmlwriter, zip, zlib, pdo_mysql, pdo_sqlite, Phar, soap, xmlreader, xsl, ionCube Loader, Zend OPcache

Nextcloud version: 13.0.1 - 13.0.1.1


#2

Hi,

What do you mean by SSL broken? The URL still starts with HTTPS. Could you please explain in more detail what you mean by that and further more post the web server error.log and also the nextcloud.log (in the data directory)?

Thank you.


#3

Probably mixed content: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

news-content over plain http.


#4

Hi,

i mean the SSL check in the browser is broken (no green lock symbol anymore).
Screenshot_20180328_105542
Screenshot_20180328_105413

I’ve checked the nextcloud.log and error.log there are no new entries when i load the news app. Do you need them nevertheless?


#5

Oh I see. No I don’t need the logs then. In that case @tob1 is right. This might be due to mixed content. Please read the link he posted for further details.

If possible - I don’t use the news app and don’t know it in detail - only use https connections for your news that you are gathering in that app.
So for example instead of http://www.nytimes.com
use
https://www.nytimes.com/


#6

Thank you! That was the problem:

angular-animate.min.js:11 Mixed Content: The page at ‘https://mycloud.mydomain.de/index.php/apps/news/#/items/starred’ was loaded over HTTPS, but requested an insecure image ‘http://www.faz.net/favicon.ico’. This content should also be served over HTTPS.

I guess there is no way to solve this unless the feeds are not available over HTTPS, right?


#7

Right :slight_smile: