Client Portal SSL Issues (v5)

Self-Hosted | v5
#1

Hi - I’ve been using v4 self hosted for a few years and just moved to v5. I started from scratch and am using the docker build.

I’m have an issue with the client portal. The main site works fine, but when I try to view the client portal (or view invoices from the links in emails) I get a bunch of security alerts about mixed connections. This is in both FF and Chrome. For some reason InvoiceNinja seems to be requesting certain resources via HTTP, even when explicitly loading the HTTPS version of the page. FF and Chrome both block these requests and throw up a warning to the user.

MixedRequestsBlocked
MixedRequestsBlocked1410×1002 79.5 KB

I have my Nginx config set up to forward all http (port 80) connections via 301 to https (443), but am otherwise using the default configs. I have REQUIRE_HTTPS = true in my ENV.

Any ideas? Bug or a config issue on my end?

#2

@david do you have any thoughts?

#3

TRUSTED_PROXIES=* in your env file should fix this.

#4

Thanks for the help, but that didn’t work. I tried adding TRUSTED_PROXIES=* to the env file and then running artisan optimize. I also made sure the the APP_URL was set to the https URL, but still having issues.

After finding some other related threads I tried adding fastcgi_params https 1 to the nginx config file, but that also did not help.

I ended up reverting back to the mostly vanilla config from the docker repo, with REQUIRE_HTTPS=false. In this config I can load the https version of the site manually, however the company logo always loads insecurely. See below image. Not sure if this points to some kind of config error, but I’m not sure what else to try.

main_page_logo
main_page_logo1421×357 39.1 KB

#5

I’m seeing this as well. If I navigate to the client portal over http, the site works fine, but if I use https, the styles don’t load and it’s left justified and kind of a mess.

Any suggestions would be appreciated.

Thanks!
–Chris

#6

Went digging. I found that the .env file had APP_URL starting with http. I changed that to https, but then had to remove the bootstrap/cache/config.php file so it would regenerate.

Now it seems to be happier.

#7

Glad to hear it’s working!

FYI… it’s best to run php artisan optimize after changing the .env file to update the cache.

#8

Still new to the artisan commands, but that one rings a bell. :slight_smile:

Thanks!

#9

I’m seeing lots of errors about this as well. I do have an HTTPS URL set as the APP_URL value in .env and I have run php artisan optimize; the value in .env is identical to the value in bootstrap/cache/config.php. However, I still have a lot of resources being loaded over HTTP.

My setup looks like this. Caddy is a webserver and the container tech is LXD but the networking is kind of similar to Docker. Caddy on the host is proxying Caddy in the container which serves InvoiceNinja through php-fpm.

diagram_optimised
diagram_optimised1000×1000 55.2 KB

I’ve tried

  • SESSION_ENCRYPT=true
  • SESSION_SECURE=true
  • REQUIRE_HTTPS=true
  • TRUSTED_PROXIES="*"

Along with both of these and none of the rest per a GitHub comment somewhere.

  • REQUIRE_HTTPS=false
  • TRUSTED_PROXIES="*"

Nothing has had any effect whatsoever. Aside from hardcoding https:// into the source code, I’m at a loss for how to proceed. Any help would be greatly appreciated.