Forum

Hi,

can it be that Hiawatha and SSL well do not work with each other?
Not all contents of the web page are protected, with Apache it works without problems.
What can be the cause?
It has struck me that has the same problem also https: // www.hiawatha-webserver.org

Hiawatha version: 7.3
Operating System: Debian 5.0

Hiawatha works well with SSL. Can you tell me what the URL is of your website so I can see for myself?

This website works with SSL, but since I don't have the right SSL certificate (don't want to spend money on it) I've included a BASE HTML tag which sets the base URL to a non-SSL one. So, every next click and all pictures are loaded via HTTP, not HTTPS. It's as designed.

I don't have to
but when I use the Apache two years ago, it has worked also with not right SSL

Can you tell me what is not working correctly then? Can you tell me the URL of your website?

Not all files are encrypted, for example. JS or CSS, and some pictures.
So just like https://www.hiawatha-webserver.org

I ask for understanding, I would like to remain anonymous, not because I trust you not, but because there are a lot of idiots on the Internet, nevertheless, you it knows itself.

Check if there is also a BASE HTML tag in your code that forces the browser to HTTP instead of HTTPS. Or maybe the links contain a http:// instead of a https://? Anway, it's the HTML code that tells the browser to use HTTP or HTTPS, not Hiawatha.

If you don't want to post your URL, you can also send it to me in an e-mail (hugo at hiawatha dash webserver dot org).

thank you Hugo,
I use CMS Joomla! I think I can not change as much, with Apache it worked, so I thought maybe the problem is with the Hiawatha.
OK, then I must buy to myself a right SSL
I would like to warn you that your email on start page is unprotected from Spambots

An official certificate won't solve the problem. You can try the following patch for envir.c. At line 230, change the code block

#ifdef HAVE_SSL
    if (session->binding->use_ssl) {
        add_to_environment(fcgi_buffer, "HTTP_SCHEME", "https");
    } else
#endif
        add_to_environment(fcgi_buffer, "HTTP_SCHEME", "http");

to

#ifdef HAVE_SSL
    if (session->binding->use_ssl) {
        add_to_environment(fcgi_buffer, "HTTP_SCHEME", "https");
        add_to_environment(fcgi_buffer, "HTTPS", "on");
    } else {
#endif
        add_to_environment(fcgi_buffer, "HTTP_SCHEME", "http");
#ifdef HAVE_SSL
        add_to_environment(fcgi_buffer, "HTTPS", "off");
    }
#endif

Looks like Joomla (just like all other CMSes) is using the Apache CGI standard instead of the official CGI standard.


I know my e-mail address is 'unprotected'. But posting it at this website won't cause more spam. The address is already known by too many spam idiots. And besides that, my spamfilter is working just fine

I don't have envir.c

Look in the source tarball. It's there.

nothing, maybe because it's a vServer?
"find / -name envir.c" has also found nothing.

Go to the download page of this website. Download the Hiawatha 7.3 source tarball, unpack it and find envir.c. Adjust as described above and recompile as you did before.

ok I changed envir.c and recompiled and reinstalled with "hiawatha_7.3_amd64.deb", but nothing has changed.

sorry, there is a change, it is changed no more from https to http
was that your plan?

the Browser alert: "Security level: broken"

That's what I mean, with Apache was it not broken

I have a Joomla website running under Hiawatha myself. It works fine with both HTTP and HTTPS. Can you tell me the URL of your website so I can see for myself?