Flarum server access ('Oops! Something went wrong') issue (http vs https)

jonos

I have a newly installed Flarum server. The server is installed on a web-hosting site, thus contacted via https. The server - as such - seems to be running fine.

My problem is that some users have access problems from time to time, where they either cannot log in at all, or
they appear to be logged in in a kind of half-way (but not able to access any internal data).

I am trying to fully comprehend why this happens (when it happens), therefore this request.

I do understand that different browsers might prefer http or https differently as first request when trying to access, say
myserver.mysite.com
If the user fully writes
https://myserver.mysite.com
then there is no ambiguity, of course.
However, if the browser (silently) attempts http://myserver.mysite.com when the user just writes myserver.mysite.com
then the user will usually get
Oops! Something went wrong during a cross-origin request.
Writing the full URL with the https protocol field will remedy this.

Now, I know that the server side will redirect a http://myserver.mysite.com request to https if set up to do so.
However, the problem - as far as I can understand - is the url entry in the config.php server configuration file
'url' => 'https://myserver.mysite.com'

Apparently the Flarum server spots the inconsistency between 'https://myserver.mysite.com' in the config.php file
and the user having (unknowingly) sent http://myserver.mysite.com when the protocol field is omitted.

My question the therefore, how can one avoid this problem from occurring, why should the user really have to
"force" the browser to use https? The user should really one care about writing
myserver.mysite.com
I would believe?

I realize that my 'real' problem might be my own lack of understanding something, in which can I only apologize.
I would really like to hear how others are addressing this issue, as I cannot believe I am the only one to experience this.

luceos

jonos you will need to redirect from http to https on the server, the server can make this happen before the user hits the actual website. Right now you seem to try to serve the website with both http and https. I don't know what webserver you use or how it is configured, but the webserver can and should be set up to redirect.

jonos

Thanks for your reply.

While initially testing out my Flarum server concept I was running the system locally on a Raspberry Pi. There everything was easy to set up, control and analyze.

I have since moved the server to a (paid) hosted server site. There - unfortunately - I have much less control when it
comes to lower-level functionality such as protocol redirection (at least this is my feeling at the moment).

This I why I assume (I cannot observe it direcly) that the request arriving at the Flarum server is still http, when the mentioned problem occurs.

Is there any way I can use Flarum internal test functionality to directly observe a request (to test whether the server properly redirects or not)?

So yes, I am probably trying to serve both http and https. I am now trying to verify that this is the problem occurring. How to most easily see IF this is the problem (from the Flarum level)?

luceos

jonos I think this might be an easier solution for you: https://extiverse.com/extension/migratetoflarum/canonical

jonos

Thanks so much again.

I previously had attempted to redirect to https by doing so in the .htaccess file, but could not - for some reason - get that to work.

Anyway, I now installed the mentioned 'canonical' extension such:

composer require migratetoflarum/canonical

and enabled this as the admin. Then, I enabled the extension mode to temporary redirect (just to test), found that to work and then set it to permanent redirect (production mode).

As far as I can see it all works, and I am not able any more to force any errors to show up.

I am now curious to see if any users will still observe any problems...

treyb

jonos I'm curious which redirect you used in .htaccess for it not to work. I used the below and it seems to work without any issues. Also, it could be a hosting problem.

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] Header always set Content-Security-Policy "upgrade-insecure-requests;"