running foswiki as virtualHost over ssl

I have installed the foswiki package version 1.1.5 on debian squeeze via "deb http://fosiki.com/Foswiki_debian/ stable main contrib". I'm now trying to setup foswiki to run over https. As the webserver is already serving other pages as virtual hosts, I have surrounded /etc/apache2/conf.d/foswiki.conf with the following lines:

<virtualHost *:443>
Servername my.domain.name
...original config file content...
</virtualHost>

With this configuration, I can open https://my.domain.name/foswiki/bin/configure, so I figure I can't be completely wrong. It renders correctly, and I can access subpages. I have set {DefaultUrlHost} to "https://my.domain.name", {PermittedRedirectHostUrls} only allows https as well.

I can also open https://my.domain.name/foswiki/bin/view, but the page does not render correctly, as it tries to load its resources using incorrect urls, e.g. "<base href=" !http://my.domain.name/foswiki/bin/view/Main/WebHome" />". Interestingly loading ressources specified using relative URLs fails as well, as it again tries to load it via http instead of https (e.g. "@import url('/foswiki/pub/System/PatternSkinTheme/layout.css');" translates to "!http://my.domain.name/foswiki/pub/System/PatternSkinTheme/layout.css" [as reported by firebug]).

Accessing content under https://my.domain.name/foswiki/pub would not be a problem if the correct path would be specified, I tried accessing https://my.domain.name/foswiki/pub/System/BeginnersStartHere/BT_logo.gif from my browser as a test, which worked.

{PubUrlPath} is set to /foswiki/pub, testing the link "My "pub" directory" (https://my.domain.name/foswik/fi/pub) gives me a permanent redirect [301] to http://my.domain.name/foswiki/pub/, which results in an error since apache is not running on port 80 on the server. Where is that redirect coming from? Why is foswiki generating only http links (except in foswiki/bin/configure)?

-- MartinGerdes - 07 Dec 2012

Interestingly, calling "!https://my.domain.name/foswiki/pub/" (added slash at the end) does not give me a redirect, but a "Attachment '?' does not exist" page.

-- MartinGerdes - 07 Dec 2012

Warnings from the configure gui (there are no errors):

• Warning: You are using a version of $CGI that is known to have issues with Foswiki. CGI should be upgraded to a version > 3.11, avoiding 3.37, 3.43, and 3.47.
  (I have no idea what it is referring to. Only matching package is libcgi-session-perl, which is installed in version 4.41-1)
• Warning: Crypt::Eksblowfish::Bcrypt: Not installed. Required to use or autodetect: bcrypt encoding.
• Warning: Chili highlighter plugin is known to corrupt displayed text on Firefox 7 and Safari Rev. 6-17-2011.

-- MartinGerdes - 07 Dec 2012

Presumably an error in your apache config, i.e. in the viewfile redirect section. It would help to see all of the foswiki config in your apache.

-- MichaelDaum - 07 Dec 2012

output from cat /etc/apache2/conf.d/foswiki.conf | egrep -v '^\s*(#|$)':

<virtualHost *:443>
        Servername my.domain.name
RedirectMatch ^/cgi-bin/foswiki/(.*)$ /foswiki/bin/$1
RedirectMatch ^/foswiki/?$ /foswiki/bin/view$1
RedirectMatch ^/foswiki(/([A-Z].*)?)?$ /foswiki/bin/view$1
ScriptAlias /foswiki/bin "/var/lib/foswiki/bin"
Alias /foswiki/pub "/var/lib/foswiki/pub"
SetEnvIf Request_URI "foswiki/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
SetEnvIf Request_URI "foswiki/pub/System/.*\.[hH][tT][mM][lL]?$" !blockAccess
<Directory "/var/lib/foswiki/bin">
    AllowOverride all
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    Options ExecCGI FollowSymLinks
    SetHandler cgi-script
    AuthUserFile /var/lib/foswiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic
    ErrorDocument 401 /foswiki/bin/view/System/UserRegistration
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Require user admin
</FilesMatch>
</Directory>
<Directory "/var/lib/foswiki/pub">
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
    ErrorDocument 404 /foswiki/bin/viewfile
</Directory>
<Directory "/var/lib/foswiki/pub/Trash">
        deny from all
</Directory>
<Directory "/var/lib/foswiki/data">
    deny from all
</Directory>
<Directory "/var/lib/foswiki/templates">
    deny from all
</Directory>
<Directory "/var/lib/foswiki/lib">
    deny from all
</Directory>
<Directory "/var/lib/foswiki/locale">
    deny from all
</Directory>
<Directory "/var/lib/foswiki/tools">
    deny from all
</Directory>
<Directory "/var/lib/foswiki/working">
    deny from all
</Directory>
</virtualHost>

-- MartinGerdes - 07 Dec 2012

the file is completely standard as generated by the debian package, except for the first two, and the last line (as I indicated in the original question).I've tried to compare it to the output of http://foswiki.org/Support.ApacheConfigGenerator, but don't see any (to me) obvious errors. Apart from that I've got apache conf snippets charset,gitweb,localized-error-pages,other-vhosts-access-log and security, non of which should influence redirect.

The relevant parts of /etc/apache2/apache2.conf:

# default virtual hosts: return 404
<virtualHost *:443>
        Servername doesNotExist
        #these ssl options will be used by all virtual hosts on port 443
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/my.domain.name-cert.pem
        SSLCertificateKeyFile /etc/apache2/ssl/my.domain.name-server-key.pem

        Redirect 404 /
</virtualHost>
<virtualHost *:80>
        Servername doesNotExist
        Redirect 404 /
</virtualHost>

NameVirtualHost *:80
NameVirtualHost *:443

-- MartinGerdes - 07 Dec 2012

The <base is being generated incorrectly if it still points to http:// That seems to be the cause of your pain. I thought that the <base was generated from the DefaultUrlHost .... checking...

In 1.1.5, I find it in two places:

templates/foswiki.pattern.tmpl:<base href="%SCRIPTURL{%SCRIPTNAME%}%/%WEB%/%TOPIC%" /><!--[if IE]></base><![endif]-->
templates/foswiki.tmpl:    <base href="%SCRIPTURL{%SCRIPTNAME%}%/%WEB%/%TOPIC%" /><!--[if IE]></base><![endif]-->

Could you expand the %SCRIPTURL tag to see what it's generating. Oh... Also check your LocalSite.cfg for the $Foswiki::cfg{ScriptUrlPaths}{view} setting. It overrides the default URL.

-- GeorgeClark - 07 Dec 2012

Looking at the quellcode of https://my.domain.name/foswiki/bin/view, the line in foswiki.tmpl (which is identical to the one you posted) expands to

<base href="http://my.domain.name/foswiki/bin/view/Main/WebHome" /><!--[if IE]></base><![endif]-->

which means that % SCRIPTURL{% SCRIPTNAME%}% is expanding to http://my.domain.name/foswiki/bin/view, which means the SCRIPTURL tag is generated wrong.

from /etc/foswiki/LocalSite.cfg:

$Foswiki::cfg{DefaultUrlHost} = 'https://my.domain.name';
$Foswiki::cfg{PermittedRedirectHostUrls} = 'https://localhost;https://127.0.0.1';
...
$Foswiki::cfg{ScriptUrlPaths}{view} = '$Foswiki::cfg{ScriptUrlPath}/view$Foswiki::cfg{ScriptSuffix}';

-- MartinGerdes - 10 Dec 2012

I don't pretend to understand it, but I found the solution anyway: changing the Servername line in the virtualHost block in the apache configuration to

Servername https://my.domain.name

makes it work!

-- MartinGerdes - 18 Dec 2012

I am struggeling with the same problem. But I am sitting behind a reverse-proxy and not an apache server. I have no impact to configure that reverse-proxy. Why does foswiki have to set base href at all? Relative URLs are simple and just work. Why rewriting them to absolute URLs?

I tried to configure ScriptUrlPath or ScriptUrlPaths to the https URL but that does not influence the base href.

IMHO this is still a bug in FosWiki.

-- JoergHohwiller - 10 Nov 2015

In Foswiki 2.0, there is a setting to force use of the defaultUrlHost:

• General settings > Web URLs and Paths > {ForceDefaultUrlHost}

-- GeorgeClark - 10 Nov 2015

Thanks George for the hint. Works like a charm! You saved my day! Thanks!

-- JoergHohwiller - 20 Nov 2015

Sorry to say so but it does not work:

• After login and logout I still get redirected to http and wrong port instead of default host url
• If I set {ForceDefaultUrlHost} the FosWiki can only be used via reverse proxy anymore as direct access also always directs to {ForceDefaultUrlHost}.
• IMHO a simple fix is possible if you just omit base href and/or use URLs without scheme, host and port (//foswiki/...).
• As we are not using an Apache or NGix as Reverse-Proxy we currently have no workaround and FosWiki can not be used behind our Reverse-Proxy.

Any help or workaround would be highly appreciated.

-- JoergHohwiller - 18 Jan 2016

Please try the following patch. That changes the "base" URL for the web pages to relative link. I'm a bit reluctant merge this into the release though without more discussion.

Note that this patch is against a developers checkout. The change in a released foswiki would be to templates/foswiki.tmpl and templates/foswiki.pattern.tmpl. There may be other places where we use SCRIPTURL where they should be SCRIPTURLPATH.

diff --git a/PatternSkin/templates/foswiki.pattern.tmpl b/PatternSkin/templates/foswiki.pattern.tmpl
index c3d6384..07f4ae2 100644
--- a/PatternSkin/templates/foswiki.pattern.tmpl
+++ b/PatternSkin/templates/foswiki.pattern.tmpl
@@ -53,7 +53,7 @@
 <meta name="TEXT_NUM_TOPICS" content="%MAKETEXT{"Number of topics:"}%" />
 <meta name="TEXT_MODIFY_SEARCH" content="%MAKETEXT{"Modify search"}%" />
 <meta name="robots" content="noindex" />%HTTP_EQUIV_ON_VIEW%
-<base href="%SCRIPTURL{%SCRIPTNAME%}%/%WEB%/%TOPIC%" /><!--[if IE]></base><![endif]-->%TMPL:END%
+<base href="%SCRIPTURLPATH{%SCRIPTNAME%}%/%WEB%/%TOPIC%" /><!--[if IE]></base><![endif]-->%TMPL:END%
 
 %TMPL:DEF{"head:script"}%%TMPL:P{"LIBJS" id="JavascriptFiles/foswikiString" requires="JQUERYPLUGIN::FOSWIKI"}%%TMPL:P{"LIBJS" id="JavascriptFiles/foswikiPref" requires="JavascriptFiles/foswikiString"}%%TMPL:P{"LIBJS" id="JavascriptFiles/foswikiForm" requires="JavascriptFiles/foswikiString"}%%TMPL:P{"LIBJS" id="PatternSkin/pattern" requires="JavascriptFiles/foswikiPref,JavascriptFiles/foswikiForm"}%%TMPL:END%
 
diff --git a/core/templates/foswiki.tmpl b/core/templates/foswiki.tmpl
index 9f4264b..c677909 100644
--- a/core/templates/foswiki.tmpl
+++ b/core/templates/foswiki.tmpl
@@ -55,7 +55,7 @@ but may be used in derived templates.
 <link rel="icon" href="%FAVICON%" type="image/x-icon" /> <link rel="shortcut icon" href="%FAVICON%" type="image/x-icon" />
 <link rel="alternate" href="%SCRIPTURL{edit}%/%BASEWEB%/%BASETOPIC%?t=%GMTIME{"$epoch"}%" type="application/x-wiki" title="edit %BASETOPIC%" />
 <meta name="description" content="%TOPIC%" />
-    <base href="%SCRIPTURL{%SCRIPTNAME%}%/%WEB%/%TOPIC%" /><!--[if IE]></base><![endif]-->
+    <base href="%SCRIPTURLPATH{%SCRIPTNAME%}%/%WEB%/%TOPIC%" /><!--[if IE]></base><![endif]-->
 %TMPL:P{"script"}%
 %TMPL:P{"defaultstyle"}%
 </head>%TMPL:END%%{

-- GeorgeClark - 18 Jan 2016

Note, I've filed UseRelativeLinksByDefault as a proposal for Foswiki 2.2.

-- GeorgeClark - 18 Jan 2016

Commenting is disabled while not logged in