I have a private ikiwiki (3.20170111) which is running on a host that serves HTTP and HTTPS, but ikiwiki is configured for (and only served on) HTTPS:
url: https://redacted/phd/
cgiurl: https://redacted/phd/cgi
However, form submissions from ikiwiki are going to a HTTP URL and thus not being served. Example headers from submitting a comment:
Request URL:https://redacted/phd/cgi
Request Method:POST
Status Code:302 Found
Remote Address:redacted:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
HTTP/1.1 302 Found
Server: nginx/1.10.3
Date: Fri, 08 Dec 2017 11:53:35 GMT
Content-Length: 0
Connection: keep-alive
Status: 302 Found
Location: http://redacted/phd/blog/38th_Dec/?updated#comment-bd0549eb2464b5ca0544f68e6c32221e
Your form submission was in fact done successfully. The failing redirection to http is when ikiwiki follows up the successful edit by redirecting you from the form submission URL to the updated page, which is done by
IkiWiki::redirect
. --smcv
The CGI is served by lighttpd, but the whole site is front-ended by nginx, which reverse-proxies to lighttpd.
I think this might be to do with nginx not rewriting POST URLs when reverse-proxying, but I'm not sure why they would be generated in an HTTP form in any case, except perhaps by lighttpd's CGI handler since the back end is HTTP. A workaround is for nginx to redirect any HTTP URI to the HTTPS equivalent. I initially disabled that so as to have the path for letsencrypt negotiation not redirected.-- Jon
Do you have the
reverse_proxy
option set to 1? (It affects how ikiwiki generates self-referential URLs).Is the connection between nginx and lighttpd http or https?
I think this is maybe a bug in
IkiWiki::redirect
when used in conjunction withreverse_proxy: 1
: when marked as behind a reverse proxy,IkiWiki::redirect
sentLocation: /phd/foo/bar/
, which your backend web server might be misinterpreting. ikiwiki git master now sendsLocation: https://redacted/phd/foo/bar/
instead: does that resolve this for you?Assuming nginx has a reasonable level of configuration, you can redirect http to https for the entire server except
/.well-known/acme-challenge/
as a good way to bootstrap ACME negotiation. --smcv