Running via HTTPS #2707

New Issue

Closed

opened 2026-02-05 04:52:30 +03:00 by OVERLORD · 7 comments

OVERLORD commented 2026-02-05 04:52:30 +03:00

Owner

Copy Link

Originally created by @mpiko on GitHub (Mar 14, 2022).

Describe the Bug

It appears that some assets are hard-coded to http. When running the site with a redirect of all traffic to https, the loading of some css pages, etc. fail.

Steps to Reproduce

Using certbot to create certs and update confs.

bookstack.conf:

<VirtualHost *:80>
        ServerName book.server.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/bookstack/public/

       redirect / https://book.server.com/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteCond %{SERVER_NAME} =book.server.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

bookstack-le-ssl.conf

IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName book.server.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/bookstack/public/
        SSLEngine On

    <Directory /var/www/bookstack/public/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
        <IfModule mod_rewrite.c>
            <IfModule mod_negotiation.c>
                Options -MultiViews -Indexes
            </IfModule>

            RewriteEngine On

            # Handle Authorization Header
            RewriteCond %{HTTPS:Authorization} .
            RewriteRule .* - [E=HTTPS_AUTHORIZATION:%{HTTPS:Authorization}]

            # Redirect Trailing Slashes If Not A Folder...
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_URI} (.+)/$
            RewriteRule ^ %1 [L,R=301]

            # Handle Front Controller...
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^ index.php [L]
        </IfModule>
    </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


SSLCertificateFile /etc/letsencrypt/live/book.server.com./fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/book.server.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Expected Behaviour

Same as for http - but encrypted.

Screenshots or Additional Context

style sheets do not load and it looks pretty ugly.

Browser Details

firefox

Exact BookStack Version

V22.02.3

PHP Version

PHP 7.4.3 (cli) (built: Mar 2 2022 15:36:52) ( NTS )

Hosting Environment

Linux server 5.4.0-97-generic #110-Ubuntu SMP Thu Jan 13 18:22:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Originally created by @mpiko on GitHub (Mar 14, 2022). ### Describe the Bug It appears that some assets are hard-coded to http. When running the site with a redirect of all traffic to https, the loading of some css pages, etc. fail. ### Steps to Reproduce Using certbot to create certs and update confs. **bookstack.conf:** ``` <VirtualHost *:80> ServerName book.server.com ServerAdmin webmaster@localhost DocumentRoot /var/www/bookstack/public/ redirect / https://book.server.com/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteCond %{SERVER_NAME} =book.server.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> ``` **bookstack-le-ssl.conf** ``` IfModule mod_ssl.c> <VirtualHost *:443> ServerName book.server.com ServerAdmin webmaster@localhost DocumentRoot /var/www/bookstack/public/ SSLEngine On <Directory /var/www/bookstack/public/> Options Indexes FollowSymLinks AllowOverride None Require all granted <IfModule mod_rewrite.c> <IfModule mod_negotiation.c> Options -MultiViews -Indexes </IfModule> RewriteEngine On # Handle Authorization Header RewriteCond %{HTTPS:Authorization} . RewriteRule .* - [E=HTTPS_AUTHORIZATION:%{HTTPS:Authorization}] # Redirect Trailing Slashes If Not A Folder... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} (.+)/$ RewriteRule ^ %1 [L,R=301] # Handle Front Controller... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L] </IfModule> </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/book.server.com./fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/book.server.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> ``` ### Expected Behaviour Same as for http - but encrypted. ### Screenshots or Additional Context style sheets do not load and it looks pretty ugly. ### Browser Details firefox ### Exact BookStack Version V22.02.3 ### PHP Version PHP 7.4.3 (cli) (built: Mar 2 2022 15:36:52) ( NTS ) ### Hosting Environment Linux server 5.4.0-97-generic #110-Ubuntu SMP Thu Jan 13 18:22:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

OVERLORD added the 🐛 Bug label 2026-02-05 04:52:30 +03:00

OVERLORD closed this issue 2026-02-05 04:52:36 +03:00

OVERLORD commented 2026-02-05 04:52:43 +03:00

Author

Owner

Copy Link

@PoRnBoB commented on GitHub (Mar 14, 2022):

Did you Update your Bookstack URL ? vom HTTP to HTTPS ?

https://www.bookstackapp.com/docs/admin/debugging/

Broken Links or No Images After APP_URL Change

@PoRnBoB commented on GitHub (Mar 14, 2022): Did you Update your Bookstack URL ? vom HTTP to HTTPS ? https://www.bookstackapp.com/docs/admin/debugging/ Broken Links or No Images After APP_URL Change

OVERLORD commented 2026-02-05 04:52:49 +03:00

Author

Owner

Copy Link

@mpiko commented on GitHub (Mar 14, 2022):

Thank you for your reply.

Yes but it did not work.

In firefox debug, I still get:
Blocked loading mixed active content
"http://xxx.yyy.com/dist/styles.css?version=v22.02.3"
login
Blocked loading mixed active content
"http://xxx.yyy.com/dist/print-styles.css?version=v22.02.3"
login
Blocked loading mixed active content
"http://xxx.yyy.com/dist/app.js?version=v22.02.3"

I've also rebooted the server, and restared browser.

On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote:

Did you Update your Bookstack URL ? vom HTTP to HTTPS ?
https://www.bookstackapp.com/docs/admin/debugging/
Broken Links or No Images After APP_URL Change
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you authored the thread.Message ID:
@.***>

@mpiko commented on GitHub (Mar 14, 2022): Thank you for your reply. Yes but it did not work. In firefox debug, I still get: Blocked loading mixed active content "http://xxx.yyy.com/dist/styles.css?version=v22.02.3" login Blocked loading mixed active content "http://xxx.yyy.com/dist/print-styles.css?version=v22.02.3" login Blocked loading mixed active content "http://xxx.yyy.com/dist/app.js?version=v22.02.3" I've also rebooted the server, and restared browser. On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote: > Did you Update your Bookstack URL ? vom HTTP to HTTPS ? > https://www.bookstackapp.com/docs/admin/debugging/ > Broken Links or No Images After APP_URL Change > — > Reply to this email directly, view it on GitHub, or unsubscribe. > Triage notifications on the go with GitHub Mobile for iOS or Android. > You are receiving this because you authored the thread.Message ID: > ***@***.***>

OVERLORD commented 2026-02-05 04:52:59 +03:00

Author

Owner

Copy Link

@mpiko commented on GitHub (Mar 14, 2022):

Oh, BTW, i've cleared the cache also.

Maybe I should have put the full text from debug in my email. Here it
is:

Content Security Policy: Ignoring “http:” within script-src: ‘strict-
dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-
dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-
dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-
dynamic’ specified
Blocked loading mixed active content
"http://xxx.yyy.com/dist/styles.css?version=v22.02.3"
login
Blocked loading mixed active content
"http://xxx.yyy.com/dist/print-styles.css?version=v22.02.3"
login
Blocked loading mixed active content
"http://xxx.yyy.com/dist/app.js?version=v22.02.3"
login
Loading failed for the <script> with source
“http://xxx.yyy.com/dist/app.js?version=v22.02.3”. login:170:1
Password fields present in a form with an insecure (http://) form
action. This is a security risk that allows user login credentials to
be stolen.

On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote:

Did you Update your Bookstack URL ? vom HTTP to HTTPS ?
https://www.bookstackapp.com/docs/admin/debugging/
Broken Links or No Images After APP_URL Change
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you authored the thread.Message ID:
@.***>

@mpiko commented on GitHub (Mar 14, 2022): Oh, BTW, i've cleared the cache also. Maybe I should have put the full text from debug in my email. Here it is: Content Security Policy: Ignoring “http:” within script-src: ‘strict- dynamic’ specified Content Security Policy: Ignoring “https:” within script-src: ‘strict- dynamic’ specified Content Security Policy: Ignoring “http:” within script-src: ‘strict- dynamic’ specified Content Security Policy: Ignoring “https:” within script-src: ‘strict- dynamic’ specified Blocked loading mixed active content "http://xxx.yyy.com/dist/styles.css?version=v22.02.3" login Blocked loading mixed active content "http://xxx.yyy.com/dist/print-styles.css?version=v22.02.3" login Blocked loading mixed active content "http://xxx.yyy.com/dist/app.js?version=v22.02.3" login Loading failed for the <script> with source “http://xxx.yyy.com/dist/app.js?version=v22.02.3”. login:170:1 Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen. On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote: > Did you Update your Bookstack URL ? vom HTTP to HTTPS ? > https://www.bookstackapp.com/docs/admin/debugging/ > Broken Links or No Images After APP_URL Change > — > Reply to this email directly, view it on GitHub, or unsubscribe. > Triage notifications on the go with GitHub Mobile for iOS or Android. > You are receiving this because you authored the thread.Message ID: > ***@***.***>

OVERLORD commented 2026-02-05 04:53:02 +03:00

Author

Owner

Copy Link

@mpiko commented on GitHub (Mar 14, 2022):

Here is the output from the URL update:

Are you sure you want to proceed? (yes/no) [no]:

yes

This operation could cause issues if used incorrectly. Have you made a
backup of your existing database? (yes/no) [no]:

yes

Updated 0 rows in attachments->path
Updated 2 rows in pages->html
Updated 0 rows in pages->text
Updated 0 rows in pages->markdown
Updated 15 rows in images->url
Updated 1 rows in settings->value
Updated 0 rows in comments->html
Updated 0 rows in comments->text
Updated 0 JSON encoded rows in settings->value
URL update procedure complete.

=====
Be sure to run "php artisan cache:clear" to clear any old URLs in the
cache.

=====

If I re-run it, it comes back with all: Updated 0

On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote:

Did you Update your Bookstack URL ? vom HTTP to HTTPS ?
https://www.bookstackapp.com/docs/admin/debugging/
Broken Links or No Images After APP_URL Change
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you authored the thread.Message ID:
@.***>

@mpiko commented on GitHub (Mar 14, 2022): Here is the output from the URL update: Are you sure you want to proceed? (yes/no) [no]: > yes This operation could cause issues if used incorrectly. Have you made a backup of your existing database? (yes/no) [no]: > yes Updated 0 rows in attachments->path Updated 2 rows in pages->html Updated 0 rows in pages->text Updated 0 rows in pages->markdown Updated 15 rows in images->url Updated 1 rows in settings->value Updated 0 rows in comments->html Updated 0 rows in comments->text Updated 0 JSON encoded rows in settings->value URL update procedure complete. ======================================================================= ===== Be sure to run "php artisan cache:clear" to clear any old URLs in the cache. ======================================================================= ===== If I re-run it, it comes back with all: Updated 0 On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote: > Did you Update your Bookstack URL ? vom HTTP to HTTPS ? > https://www.bookstackapp.com/docs/admin/debugging/ > Broken Links or No Images After APP_URL Change > — > Reply to this email directly, view it on GitHub, or unsubscribe. > Triage notifications on the go with GitHub Mobile for iOS or Android. > You are receiving this because you authored the thread.Message ID: > ***@***.***>

OVERLORD commented 2026-02-05 04:53:04 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Mar 15, 2022):

Hi @mpiko,
In your /var/www/bookstack/.env file has the APP_URL been updated to start with https://?

@ssddanbrown commented on GitHub (Mar 15, 2022): Hi @mpiko, In your `/var/www/bookstack/.env` file has the `APP_URL` been updated to start with `https://`?

OVERLORD commented 2026-02-05 04:53:08 +03:00

Author

Owner

Copy Link

@mpiko commented on GitHub (Mar 15, 2022):

OK, I've fixed it with the help on that page you mentioned. 
I have created a little bash script accommodate (attached)

On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote:

Did you Update your Bookstack URL ? vom HTTP to HTTPS ?
https://www.bookstackapp.com/docs/admin/debugging/
Broken Links or No Images After APP_URL Change
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you authored the thread.Message ID:
@.***>

@mpiko commented on GitHub (Mar 15, 2022): OK, I've fixed it with the help on that page you mentioned.  I have created a little bash script accommodate (attached) On Mon, 2022-03-14 at 00:58 -0700, PoRnBoB wrote: > Did you Update your Bookstack URL ? vom HTTP to HTTPS ? > https://www.bookstackapp.com/docs/admin/debugging/ > Broken Links or No Images After APP_URL Change > — > Reply to this email directly, view it on GitHub, or unsubscribe. > Triage notifications on the go with GitHub Mobile for iOS or Android. > You are receiving this because you authored the thread.Message ID: > ***@***.***>

OVERLORD commented 2026-02-05 04:53:13 +03:00

Author

Owner

Copy Link

@mpiko commented on GitHub (Mar 15, 2022):

Here it is if anyone else would like it.

#!/bin/bash
# mpiko ver 1.0 15-03-22
#

echo "Do you have a publicly registered domain name to use? 
if so, press enter to continue or CTRL C to exit now."
read TMP 

echo Continuing...
exit

# NOTE: certbot will need to know an email address, the server domain name, etc.
sudo apt install -y certbot python3-certbot-apache
sudo certbot --apache

# certbot will create a copy of bookstack.conf called bookstack-le-ssl.conf
# with all the appropriate config.
# we will need to update the bootstack.conf to push all http connections to https.

echo -n "Please enter the domain name for your server "
read SERVER

# Should really check the DNS is correct and can ping. Maybe in the future...

cat >/etc/apache2/sites-available/bookstack.conf <<EOF
<VirtualHost *:80>
        ServerName $SERVER

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/bookstack/public/

        redirect / https://$SERVER

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteCond %{SERVER_NAME} =$SERVER
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
EOF

cd /var/www/bookstack

echo "Now we need to update the urls in bookstack. Please follow the prompts"
read TMP 
php artisan bookstack:update-url http://$SERVER https://$SERVER
php artisan cache:clear

cp .env /tmp
cat /tmp/.env | sed "s#APP_URL=http#APP_URL=https/" > .env
rm /tmp.env

systemctl restart apache2

@mpiko commented on GitHub (Mar 15, 2022): Here it is if anyone else would like it. ``` #!/bin/bash # mpiko ver 1.0 15-03-22 # echo "Do you have a publicly registered domain name to use? if so, press enter to continue or CTRL C to exit now." read TMP echo Continuing... exit # NOTE: certbot will need to know an email address, the server domain name, etc. sudo apt install -y certbot python3-certbot-apache sudo certbot --apache # certbot will create a copy of bookstack.conf called bookstack-le-ssl.conf # with all the appropriate config. # we will need to update the bootstack.conf to push all http connections to https. echo -n "Please enter the domain name for your server " read SERVER # Should really check the DNS is correct and can ping. Maybe in the future... cat >/etc/apache2/sites-available/bookstack.conf <<EOF <VirtualHost *:80> ServerName $SERVER ServerAdmin webmaster@localhost DocumentRoot /var/www/bookstack/public/ redirect / https://$SERVER ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteCond %{SERVER_NAME} =$SERVER RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> EOF cd /var/www/bookstack echo "Now we need to update the urls in bookstack. Please follow the prompts" read TMP php artisan bookstack:update-url http://$SERVER https://$SERVER php artisan cache:clear cp .env /tmp cat /tmp/.env | sed "s#APP_URL=http#APP_URL=https/" > .env rm /tmp.env systemctl restart apache2 ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2707