Mixed content error in using SSL with Gunicorn/Django/Nginx application

Question

I'm trying to configure HTTPS for an instance of Superdesk, which is using Gunicorn and Nginx for routing. I have a certificate installed and (I think) working on the server. Pointing a browser to the application however gives "Blocked loading mixed active content “http://localhost/api" on Firefox and "WebSocket connection to 'ws://localhost/ws' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED" on Chrome. The documentation for this application is close to non-existent and I've spent countless hours now trying to get this to work. I filed an issue with the developer on GitHub, but I didn't have much luck with the answer. Here's my Nginx configuration:

server {
    listen 80;
    listen 443 ssl;

    server_name my_server_name;
    ssl on;
    ssl_certificate /path/to/my/cert.pem;
    ssl_certificate_key /path/to/my/key/key.pem;

    location /ws {
        proxy_pass http://localhost:5100;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 3600;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
     }  
    location /api {
        proxy_pass http://localhost:5000;
        proxy_set_header Host localhost;
        expires epoch;

        sub_filter_once off;
        sub_filter_types application/json;
        sub_filter 'http://localhost' 'http://$host';
    }  
    location /contentapi {
        proxy_pass http://localhost:5400;
        proxy_set_header Host localhost;
        expires epoch;
    }  
    location /.well-known {
        root /var/tmp;
    }
    location / {
        root /opt/superdesk/client/dist;

        # TODO: use "config.js:server" for user installations
        sub_filter_once off;
        sub_filter_types application/javascript;
        sub_filter 'http://localhost' 'http://$host';
        sub_filter 'ws://localhost/ws' 'ws://$host/ws';
    }
    location /mail {
        alias /var/log/superdesk/mail/;
        default_type text/plain;
        autoindex on;
        autoindex_exact_size off;
    }
}

This is the first time I've worked with nginx/gunicorn/django app and I'm completely lost. Would anyone be able to point me in the right direction?

Answer 1

For anyone trying to set up Superdesk and having the same issue, I finally figured out the correct configuration.

First, here's the Nginx configuration I have to handle HTTPS requests and redirect HTTP requests to HTTPS:

server {
    listen                      443 ssl http2;
    listen                      [::]:443 ssl http2;
    server_name                 my.domain.com;

    ssl on;
    ssl_certificate             /path/to/my/cert.pem;
    ssl_certificate_key         /path/to/my/key.pem;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    location /ws {
    proxy_pass http://localhost:5100;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_read_timeout 3600;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

location /api {
    proxy_pass http://localhost:5000;
    proxy_set_header Host my.domain.com;
    expires epoch;

    sub_filter_once off;
    sub_filter_types application/json;
    sub_filter 'http://localhost' 'https://$host';
}

location /contentapi {
    proxy_pass http://localhost:5400;
    proxy_set_header Host my.domain.com;
    expires epoch;
}

location /.well-known {
    root /var/tmp;
}
location / {
    root /opt/superdesk/client/dist;

    # TODO: use "config.js:server" for user installations
    sub_filter_once off;
    sub_filter_types application/javascript;
    sub_filter 'http://localhost' 'https://$host';
    sub_filter 'ws://localhost/ws' 'wss://$host/ws';
}
location /mail {
    alias /var/log/superdesk/mail/;
    default_type text/plain;
    autoindex on;
    autoindex_exact_size off;
}

}

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 my.domain.com;
    return                      301 https://$host$request_uri;
}

What I was missing in the configuration:

The proxy_set_header field had to be set to proxy_set_header Host <my_domain name> and in the sub_filter field, it was the second parameter only that had to be set to use HTTPS

Superdesk-specific stuff that had to be configured:

In /opt/superdesk/activate.sh, set HOST_SSL to HOST_SSL=${HOST_SSL:-s}. This will make sure links sent out by mail (like password rest emails) are sent as HTTPS.

It seems simple in retrospect but wow was it difficult to figure out with limited knowledge of Nginx...