Use either no encryption (https) or no encryption

[jcp]

I think it's common to have a server which uses selft-signed certificate. Thus, SSL/TLS usage might not be mandatory for the client. So we can't set the default dotclear blog url to ' https://...'.

Actual browsers try to automatically detect the availability of SSL/TLS for the current url. So if one client has accepted the self-signed certificate, browsers might use ' https://...' url instead of the ' http://...' one.

Since dotclear still produces non-https urls (because of the default url), browsers like Firefox block those urls with a 'non-secure mixed content' message. So if the blog uses JS plugins, they will be blocked.

I have attached a patch that changes the default url whether the client uses HTTPS or not. It seems to work for me, but since I don't know the implications of such a modification, it might produces bugs.

[jcp]

Wow, I've made a mistake in the title.

The good one is : Use either encryption (https) or no encryption

[franck]

I think that you should try to remove the http: or https: from the Blog URL (blog settings). This should allow the two URL schemes (with or without SSL).

[jcp]

I've already tried this, but this produces wrong links:  https://myblog.fr/myblog.fr/index.php?...

But if I set the Blog URL to only 'index.php?', it works :)

So my question is, is it the expected behavior ? If I remember well, during the install process, the user is required to set the full web-site url.

[franck]

I missed some information to give you correct answer as it may depends on your specific configuration (apache), .htaccess directives if any, …

Could you give us details about your installation?

[jcp]

Sure.

There is no .htaccess. Apache is configured as follow: one virtual-host that listens on :80 and one other that listens on :443. There is one url rewriting rule for the admin area (when SSL is not used).

<VirtualHost? *:80>

ServerName? myblog.fr

DocumentRoot? /DATA/www/blog/

<Directory /DATA/www/blog/>

Require all granted AllowOverride? All Options -Indexes

</Directory>

<Directory /DATA/www/blog/admin/>

Require all granted RewriteEngine? On RewriteCond? %{HTTPS} off RewriteRule? (.*)$  https://myblog.fr/%{REQUEST_URI}

</Directory>

ErrorLog? /var/log/apache2/blog_error.log CustomLog? /var/log/apache2/blog_access.log combined

</VirtualHost?>

<VirtualHost? *:443>

ServerName? myblog.fr

DocumentRoot? /DATA/www/blog/

SSLEngine on SSLCertificateFile /DATA/...crt SSLCertificateKeyFile /DATA/....key SSLCertificateChainFile /DATA/.../ca.crt

# Global SSL Configuration (SSLProtocol, SSLCipherSuite, SSLHonorCipherOrder, SSLCompression) Include /DATA/.../SSL_vHost_default_config.conf

<Directory /DATA/www/blog/>

Require all granted AllowOverride? All Options -Indexes

</Directory>

ErrorLog? /var/log/apache2/blog_error.log CustomLog? /var/log/apache2/blog_access.log combined

</VirtualHost?>

[franck]

Replying to jcp:

I've already tried this, but this produces wrong links:  https://myblog.fr/myblog.fr/index.php?...

But if I set the Blog URL to only 'index.php?', it works :)

So my question is, is it the expected behavior ? If I remember well, during the install process, the user is required to set the full web-site url.

It seems a bit strange, normally

//myblog.fr/index.php?

should work in all cases. I tested it on my local installation for public access to  http://myblog.fr/index.php? and  https://myblog.fr/index.php? .

[jcp]

Ok...that's my fault. I forgot the ''.

It works now. Thank you for the support ! And sorry for the wrong bug report.

[franck]

Replying to jcp:

Ok...that's my fault. I forgot the ''.

It works now. Thank you for the support ! And sorry for the wrong bug report.

\o/

And don't worry about the "wrong" bug report ;-)