CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

Assets re-direct to https

bjohnsonbjohnson
edited March 2013 in Installation
I am having an issue where cached pages seem to be served with image assets pointing to https rather than http. Since I do not have a signed certificate, this causes images not to display at all to users that are not logged in. Clearing the cache temporarily fixes the issue, but it always seems to re-appear.

Any thoughts about what might be going on?

Comments

  • adminadmin
    edited 9:45PM
    Are you using img_path() or site_url() to insert images? FUEL has added a second parameter to the site_url() function to force it to https if set to TRUE.
  • bjohnsonbjohnson
    edited 9:45PM
    I am using img_path() with only a single parameter.
  • adminadmin
    edited 9:45PM
    Are absolute paths being rendering for the images? If so, that can be configured in the fuel/application/config/asset.php config file.
  • bjohnsonbjohnson
    edited March 2013
    'assets_absolute_path' is set to false.

    I will note that I do not have this problem on my staging server, just on production. The FUEL files are the same in the two environments. So, I suspect it is really a problem with FUEL interacting with the PHP/Apache config on the production server.

    The source that FUEL outputs really is <img ... src="/assets/images/foo.png">. So I am a bit mystified why this is interpreted as an HTTPS reference. The links to stylesheets have the same structure but are interpreted correctly.
  • adminadmin
    edited 9:45PM
    Is there something in your .htaccess file on that server? Try just creating a static HTML file with the same contents outside of FUEL and see what the result is.
  • bjohnsonbjohnson
    edited 9:45PM
    I have the standard FUEL .htaccess file.

    It seems that the reason relative links are interpreted as HTTPS links is because the page header defines a BASE element with https in the URI.
  • adminadmin
    edited 9:45PM
    Ahh... that explains it. Just remove that base href.
  • bjohnsonbjohnson
    edited 9:45PM
    That fixed it, thanks.

    I'm curious about how that goes bad, though. The <base> element read:
    <base href="<?php echo site_url()?>" />

    Was the header block being saved in the cache with an https site_url() and then served up?
  • adminadmin
    edited 9:45PM
    Possibly. If the page is created in the CMS, and someone hits it from https, it will cache it with that site_url() value.
Sign In or Register to comment.