Reverse proxy and mixed content issue

tony-h · July 7, 2019, 8:35am

Greetings! I’m using Nginx as a reverse proxy, which leads to mixed content (some data HTTP and some HTTPS). Chrome complains about this.

Here is an example of an error in Chrome.

Mixed Content: The page at ‘https://edx.REMOVED.com/dashboard’ was loaded over HTTPS, but requested an insecure image ‘http://edx.REMOVED.com/static/images/logo.b6c374d66d57.png’. This content should also be served over HTTPS.

Question: So, how do I correctly configure Tutor to run on HTTPS on the backside or eliminate the mixed-content issue?

I used “tutor local quickstart” to configure the system using a pre-defined config.yml file.

ACTIVATE_HTTPS: true
ANDROID_OAUTH2_SECRET: REMOVED
CMS_HOST: studio.edx.REMOVED.com
CONTACT_EMAIL: edx@REMOVED.com
ID: REMOVED
LANGUAGE_CODE: en
LMS_HOST: edx.REMOVED.com
MYSQL_ROOT_PASSWORD: REMOVED
NGINX_HTTPS_PORT: 10443
NGINX_HTTP_PORT: 10080
OPENEDX_MYSQL_PASSWORD: REMOVED
PLATFORM_NAME: REMOVED
SECRET_KEY: REMOVED
WEB_PROXY: true

Here are the container ports for tutorlocal_nginx_1: 0.0.0.0:10080->80/tcp, 0.0.0.0:10443->443/tcp

I enabled the Nginx site running on the VPS using “$(tutor config printroot)/env/local/proxy/nginx/openedx.conf” per your instructions.

The Problem: openedx.conf proxy_pass is set to HTTP on both port 80 and 443. Container tutorlocal_nginx_1 is serving HTTP data on both ports, 80 and 443.

root@1069a:~# curl --head http://localhost:10080
HTTP/1.1 301 Moved Permanently
Server: nginx/1.13.12
Date: Sun, 07 Jul 2019 07:49:56 GMT
Content-Type: text/html
Content-Length: 186
Connection: keep-alive
Location: https://studio.edx.REMOVED.com/

root@1069a:~# curl --head http://localhost:10443
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 07 Jul 2019 07:50:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 11493
Connection: keep-alive
Vary: Cookie, Accept-Language
X-Frame-Options: DENY
Content-Language: en
Set-Cookie: csrftoken=YzkKbEK43evdNUDdW8dJXNSekQ6QkFHiiBLzKDk7lCgMXSRjF3v06RylcSl28tN7; expires=Sun, 05-Jul-2020 07:50:16 GMT; Max-Age=31449600; Path=/

root@1069a:~# curl --head -k https://localhost:10443
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I tried configuring the reverse proxy AFTER I successfully started Tutor with SSL on the backend without using a proxy. However, I ran into the redirect loop (https site redirect to the same https site) after stopping and starting Tutor with WEB_PROXY: true and enabling openedx.conf. My understanding of the problem is that the webservers (Nginx proxy server and tutorlocal_nginx_1) received the request over HTTPS correctly, but an internal server was still trying to serve HTTP content, which then allows one of the two outer servers to initiate the HTTP 301 request back to HTTPS.

How have others solved this problem of running HTTPS to a proxy and then having edX serve HTTPS URLS to avoid mixed content?

Many thanks.

regis · July 7, 2019, 8:54am

Hi @tony-h! Long time no see

I observe the same behaviour on my server. Strangely enough, the problem only affects the logo image. Is it the same for you?

regis · July 7, 2019, 9:22am

I believe the following commit will solve your problem (it did on my server): https://github.com/overhangio/tutor/commit/c431fb81ffd919388fe76664ac2d9624e5c676ed
I’ll soon make a new release that will include this patch.

tony-h · July 7, 2019, 10:00am

I’ve been working in Moodle…

Thanks for your observations. Yes, it appears to only affect the image on the demo course. I noticed that the studio pages were working correctly. I should have looked at it closer.

I will wait for the update. Thanks for patching the warning!

regis · July 7, 2019, 10:14am

I have zero knowledge of Moodle… how does it compare to Open edX?

tony-h · July 7, 2019, 11:51am

It is an entirely different product that produces a similar result to Open edX, which is to provide web-based content for learning. It is a monolith that tries to offer administrative features for record-keeping and reporting and then academic features consistent with an LMS. It doesn’t do any one thing well but instead focuses on providing a wide range of features to accommodate the users, both academically and administratively. It is built on PHP/MySQL and carries the architecture of the late 90s / early 2000s web-based application. The development community has added some AJAX support, but it still depends heavily on page refreshes to accomplish most tasks, which makes working in it cumbersome. The base architecture makes it hard to move to a modern web-application. Mostly, features are added instead of platform development. The Moodle culture seems slow to adopt new technologies in general. Using it to development course is painful! Exruciatitiung so if you want to do anything beyond adding basic content, such as embedding YouTubes or linking to documents in Google Drive. It ranks very low on my list for accommodating course design methods that are not done in the “Moodle way”. I find it easier to put content on a webpage or to use something like Read-the-docs and then link to it from the course page.

Here is why I use it or might recommend it:

The first plus is that it is a PHP/MySQL based application, so it is easy to install and maintain for institutions who are looking for something easy to install.
Academically, the platform can provide an adequate web-based for learning and can give the students good learning experiences using static content. I think that it works better in a blended format rather than in a fully-online setting.
Thirdly, it has a mobile application that students can download from one of the app stores. Unfortunately, Canvas and Open edX lack this feature when using the community editions. Tutor is making this accessible. Most students in my current context are mobile-first users, so this requirement trumped all of the negatives.
Lastly, instructors can put up “some” web content for their students easily. Linking to external web data and uploading course documents isn’t hard. It gets someone going who has not used an LMS.

In other words, I am looking at the tool from a student-centered approach to provide them with an online learning experience that they might not have otherwise.

I hope this gives you a small feel for it. Consider yourself fortunately for not having to develop course content in it.

I think that I will use both platforms this year to leverage the video capabilities of Open edX. I work with students who study in English, which is not their native language. So, having the running transcript with the videos can assist them in understanding the content.

regis · July 7, 2019, 11:54am

This is a very comprehensive review, thanks a bunch!