X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/e49149987ee74c1120971ed0e77c2796c230544c..2cab8880ad61f9d134b56c5eed952c1a48f4ea8a:/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn?ds=sidebyside diff --git a/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn b/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn index 5f7570dac..02c04900f 100644 --- a/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn +++ b/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn @@ -23,10 +23,31 @@ Response Headers Status: 302 Found Location: http://redacted/phd/blog/38th_Dec/?updated#comment-bd0549eb2464b5ca0544f68e6c32221e +> Your form submission was in fact done successfully. The failing redirection to http is +> when ikiwiki follows up the successful edit by redirecting you from the form submission +> URL to the updated page, which is done by `IkiWiki::redirect`. --[[smcv]] + The CGI is served by lighttpd, but the whole site is front-ended by nginx, which reverse-proxies to lighttpd. ---- I think this might be to do with nginx not rewriting POST URLs when reverse-proxying, but I'm not sure why they would be generated in an HTTP form in any case, except perhaps by lighttpd's CGI handler since the back -end is HTTP. -- [[Users/Jon]] +end is HTTP. A workaround is for nginx to redirect any HTTP URI to the HTTPS equivalent. I initially disabled +that so as to have the path for letsencrypt negotiation not redirected.-- [[Users/Jon]] + +> Do you have the `reverse_proxy` option set to 1? (It affects how ikiwiki generates +> self-referential URLs). +> +> Is the connection between nginx and lighttpd http or https? +> +> I think this is maybe a bug in `IkiWiki::redirect` when used in conjunction with +> `reverse_proxy: 1`: when marked as behind a reverse proxy, +> `IkiWiki::redirect` sent `Location: /phd/foo/bar/`, which your backend web +> server might be misinterpreting. ikiwiki git master now sends +> `Location: https://redacted/phd/foo/bar/` instead: does that resolve this +> for you? +> +> Assuming nginx has a reasonable level of configuration, you can redirect http to https +> for the entire server except `/.well-known/acme-challenge/` as a good way to bootstrap +> ACME negotiation. --[[smcv]]