We run OctoberCMS behind a proxy that performs HTTPS offloading. This means that traffic between the browser and the proxy goes over HTTPS, and between the proxy and our web server over HTTP. Because our server runs over HTTP, theme and media pipes references are generated as http://… However, because the pages are loaded via HTTPS, the browser refuses to load HTTP references (Mixed Content error).
The solution is not to use theme and media pipes, but this is not very practical. Is there a way to tell |theme and |media Twig pipes which protocol to generate for the URI? Or to have a pipes generating only the relative path reference without the domain and the port?
BTW, this error is in the OctoberCMS documentation too. Website address is https://octobercms.com and javascript reference is http://octobercms.com/themes/website/js/menu.js.
If the browser loads the content via https, it will never load the resource over http. The example in the documentation is wrong.
Not sure if October uses Laravel’s logic, but for a Laravel project, you have to configure the TrustProxies middleware to trust your proxy server’s headers.
Once this is configured, Laravel will detect that site is running in a HTTPS context even if the proxy request is sent using HTTP and generate the links accordingly.
Maybe this is worth a shot.
1 Like
I don’t think Latafel should help with URL rewriting for resources. Basically, it should be done by a proxy. My question was whether Twig could do it.
We ended up running our backend servers with TLS/SSL because we couldn’t find any other option. The advantage of our system is that the proxy uses CA-signed certificates, and the connection to the backend servers can run with certificates that we sign ourselves. Of course, we sign them so that we don’t have to change certificates every year, as required by CAs.
Did you ever find a solution to this? We configured trustedProxies middleware as per the Laravel Docs, but it does not seem to work.
October CMS seems to have an own setting. LINK_POLICY. Docs. Not sure why they would re-invent the wheel.
The simplest fix for your proxy setup is to set this in your .env file:
LINK_POLICY=secure
This forces HTTPS on all generated URLs across the application, including |theme and |media. You can read more about it in the docs.
Alternatively, if you want the scheme to be detected automatically from your proxy’s headers, you need to configure Laravel’s TrustProxies middleware so it actually trusts your proxy. By default it trusts no proxy IPs, which means X-Forwarded-Proto: https headers are silently ignored. You can configure this in your bootstrap/app.php:
->withMiddleware(function (Middleware $middleware) {
$middleware->trustProxies(at: '*');
})
Using '*' trusts all proxies, fine if your server isn’t directly exposed to the internet. Otherwise, specify your proxy’s IP address.
LINK_POLICY=secure is the easier option if you know the site will always be served over HTTPS.
