It appears that on 'attachment edit ' pages to the following (non-HTTPS) host is being returned by requests like: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=<attachmentid>:
302 -> Location: http://bz-attachments.freebsd.org/attachment.cgi?id=<attachmentid>
This protocol (http/https) mismatch causes a warning error in browsers to alert the user of mixed-(security)-content.
The current Bugzilla setting value for "attachment_base" (Attachments section) is
Changing http to https in the above setting changes the Location: URL in the response above, BUT also causes an infinite redirect loop.
We obviously want:
* All URL's/media to be served under HTTPS
* Not infinite redirect loops
It would also be nice/good to enable the "ssl_redirect" setting in "Required Settings". Description of setting as follows:
When this is enabled, FreeBSD Bugzilla will ensure that every page is accessed over SSL, by redirecting any plain HTTP requests to HTTPS using the sslbase parameter. Also, when this is enabled, FreeBSD Bugzilla will send out links using sslbase in emails instead of urlbase.
Currently urlbase and sslbase have identical values.
The problem was that bugzilla believes it is being accessed via http, so it generates http-relative urls. If you set the attachments prefix to https:, it goes into an infinite loop.
For the wiki, I added this to the apache virtual config:
SetEnv HTTPS on
I've done the same to bugzilla and changed the attachment base. I believe it is working now.
Admin->Attachments->attachment_base changed from http to https
# Frontend forces https, let the backend know this so it generates https links.
SetEnv HTTPS on
I tested this URL to check for no redirect loop:
(In reply to Peter Wemm from comment #1)
Confirming that the URL loads fine after a single redirect, thank you Peter.
What is the thing that sees the HTTPS environment variable and modifies its output accordingly? Is it a bugzilla setting, a perl module thing, or just a standard CGI mechanic?
Could you please also make the same changes to our bugzilla test instance so that is remains in configuration sync
I'm re-shuffling related/dependent issue summaries since you responded/resolve on this issue.
It's a CGI mechanic. Normally apache's mod_ssl would set this implicitly. Since mod_ssl isn't being used here and there's a separate front end, the setenv method appears to be sufficient.
Yes, the same change was made on the test environment.