Mixed content when upgrading to HTTPS from HTTP #2838

New Issue

OVERLORD · 2026-02-05T05:24:36+03:00

OVERLORD commented

2026-02-05 05:24:36 +03:00

Originally created by @michaelwayneharris87 on GitHub (Jun 8, 2022).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I am trying to put my bookstack site over HTTPS from HTTP. I'm running Apache 2.4

When I have my virtualhosts serving over http, everything works as expected.

When I change my virtualhosts to servce over https, I get mixed content warnings.

In both cases, I make sure that the APP_URL version is correct. When switching back and forth, I've dumped the database and done a find and replace on http://mysite.com to https://mysite.com, and vice versa.

Exact BookStack Version

v21.05

Log Content

No response

PHP Version

7.33

Hosting Environment

CentOS 7

Originally created by @michaelwayneharris87 on GitHub (Jun 8, 2022). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I am trying to put my bookstack site over HTTPS from HTTP. I'm running Apache 2.4 When I have my virtualhosts serving over http, everything works as expected. When I change my virtualhosts to servce over https, I get mixed content warnings. In both cases, I make sure that the APP_URL version is correct. When switching back and forth, I've dumped the database and done a find and replace on http://mysite.com to https://mysite.com, and vice versa. ### Exact BookStack Version v21.05 ### Log Content _No response_ ### PHP Version 7.33 ### Hosting Environment CentOS 7

OVERLORD added the 🐕 Support label 2026-02-05 05:24:36 +03:00

OVERLORD closed this issue

2026-02-05 05:24:43 +03:00

OVERLORD commented

2026-02-05 05:24:44 +03:00

@ssddanbrown commented on GitHub (Jun 8, 2022):

Hi @michaelwayneharris87,
It's likely you have some http references in the database which need updating. We provide a command to help with this, please see the "Update System URL" command in our docs.

If it helps, this scenario and the steps required can also be seen at about 18:10 in this video: https://youtu.be/ShqUjt33uOs?t=1091

@ssddanbrown commented on GitHub (Jun 8, 2022): Hi @michaelwayneharris87, It's likely you have some http references in the database which need updating. We provide a command to help with this, please see the ["Update System URL" command in our docs](https://www.bookstackapp.com/docs/admin/commands/#update-system-url). If it helps, this scenario and the steps required can also be seen at about 18:10 in this video: https://youtu.be/ShqUjt33uOs?t=1091

OVERLORD commented

2026-02-05 05:24:49 +03:00

@michaelwayneharris87 commented on GitHub (Jun 8, 2022):

Hi @ssddanbrown,
Thanks for the pointer to the docs.

I ran that command (and cleared cache) and I received the following output:

Updated 0 rows in attachments->path
Updated 0 rows in pages->html
Updated 0 rows in pages->text
Updated 0 rows in pages->markdown
Updated 0 rows in images->url
Updated 0 rows in settings->value
Updated 0 rows in comments->html
Updated 0 rows in comments->text
Updated 0 JSON encoded rows in settings->value

And the problem still persists.

@michaelwayneharris87 commented on GitHub (Jun 8, 2022): Hi @ssddanbrown, Thanks for the pointer to the docs. I ran that command (and cleared cache) and I received the following output: ``` Updated 0 rows in attachments->path Updated 0 rows in pages->html Updated 0 rows in pages->text Updated 0 rows in pages->markdown Updated 0 rows in images->url Updated 0 rows in settings->value Updated 0 rows in comments->html Updated 0 rows in comments->text Updated 0 JSON encoded rows in settings->value ``` And the problem still persists.

OVERLORD commented

2026-02-05 05:24:55 +03:00

@ssddanbrown commented on GitHub (Jun 8, 2022):

@michaelwayneharris87 Okay, that's very odd to have 0 changes if you have existing content before upgrading.
Was the command definately ran with both your old and new APP_URL values passed as options? Including the starting http:// part and https:// part? With the old URL being before the new https url?

@ssddanbrown commented on GitHub (Jun 8, 2022): @michaelwayneharris87 Okay, that's very odd to have 0 changes if you have existing content before upgrading. Was the command definately ran with both your old and new `APP_URL` values passed as options? Including the starting `http://` part and `https://` part? With the old URL being before the new https url?

OVERLORD commented

2026-02-05 05:24:58 +03:00

@michaelwayneharris87 commented on GitHub (Jun 8, 2022):

@ssddanbrown Yes I verified that in my git history.

I've been working on this for a day or two now, and before this particular iteration I dumped the database and did a find and replace with sed, so I think that accomplished the same task.

I reimported a backup of the database and repeated the instructions and cleared cache. Here was my output:

Updated 0 rows in attachments->path
Updated 21 rows in pages->html
Updated 0 rows in pages->text
Updated 0 rows in pages->markdown
Updated 128 rows in images->url
Updated 0 rows in settings->value
Updated 0 rows in comments->html
Updated 0 rows in comments->text
Updated 0 JSON encoded rows in settings->value
URL update procedure complete.

And the problem persists.

@michaelwayneharris87 commented on GitHub (Jun 8, 2022): @ssddanbrown Yes I verified that in my git history. I've been working on this for a day or two now, and before this particular iteration I dumped the database and did a find and replace with `sed`, so I think that accomplished the same task. I reimported a backup of the database and repeated the instructions and cleared cache. Here was my output: ``` Updated 0 rows in attachments->path Updated 21 rows in pages->html Updated 0 rows in pages->text Updated 0 rows in pages->markdown Updated 128 rows in images->url Updated 0 rows in settings->value Updated 0 rows in comments->html Updated 0 rows in comments->text Updated 0 JSON encoded rows in settings->value URL update procedure complete. ``` And the problem persists.

OVERLORD commented

2026-02-05 05:25:03 +03:00

@ssddanbrown commented on GitHub (Jun 8, 2022):

@michaelwayneharris87 Ah, that makes sense if you've already change the DB values via alternative means.

In most browsers, The console in the browser developer tools will list the URLs that are causing mixed content. This is often shown as a yellow warning. Can you open the browser developer tools console, refresh the page, and report back any warnings that appear?

@ssddanbrown commented on GitHub (Jun 8, 2022): @michaelwayneharris87 Ah, that makes sense if you've already change the DB values via alternative means. In most browsers, The console in the browser developer tools will list the URLs that are causing mixed content. This is often shown as a yellow warning. Can you open the browser developer tools console, refresh the page, and report back any warnings that appear?

OVERLORD commented

2026-02-05 05:25:11 +03:00

@michaelwayneharris87 commented on GitHub (Jun 8, 2022):

Thanks a ton for looking into this with me.

Here's what chrome tells me (urls anonymized):

Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS.
login:16 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/print-styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS.
login:143 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bookstack.mysite.com/login'. This endpoint should be made available over a secure connection.
login:1 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure script 'http://bookstack.mysite.com/dist/app.js?version=v21.05'. This request has been blocked; the content must be served over HTTPS.
login:1 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS.
login:1 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/print-styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS.

@michaelwayneharris87 commented on GitHub (Jun 8, 2022): Thanks a ton for looking into this with me. Here's what chrome tells me (urls anonymized): ``` Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS. login:16 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/print-styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS. login:143 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bookstack.mysite.com/login'. This endpoint should be made available over a secure connection. login:1 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure script 'http://bookstack.mysite.com/dist/app.js?version=v21.05'. This request has been blocked; the content must be served over HTTPS. login:1 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS. login:1 Mixed Content: The page at 'https://bookstack.mysite.com/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://bookstack.mysite.com/dist/print-styles.css?version=v21.05'. This request has been blocked; the content must be served over HTTPS. ```

OVERLORD commented

2026-02-05 05:25:13 +03:00

@ssddanbrown commented on GitHub (Jun 8, 2022):

@michaelwayneharris87 Thanks for the info.

That tells me that the APP_URL is not properly taking affect.
It's likely that either the config being read by BookStack does not have the correct URL or there is caching at play.

Within your BookStack install, does a bootstrap/cache/config.php file exist?

@ssddanbrown commented on GitHub (Jun 8, 2022): @michaelwayneharris87 Thanks for the info. That tells me that the `APP_URL` is not properly taking affect. It's likely that either the config being read by BookStack does not have the correct URL or there is caching at play. Within your BookStack install, does a `bootstrap/cache/config.php` file exist?

OVERLORD commented

2026-02-05 05:25:17 +03:00

@michaelwayneharris87 commented on GitHub (Jun 8, 2022):

@ssddanbrown yes! A quick grep of that file shows our old http url in several places.

@michaelwayneharris87 commented on GitHub (Jun 8, 2022): @ssddanbrown yes! A quick grep of that file shows our old http url in several places.

OVERLORD commented

2026-02-05 05:25:24 +03:00

@ssddanbrown commented on GitHub (Jun 8, 2022):

@michaelwayneharris87 Okay, just delete that file.

Sounds like php artisan config:cache has been ran at some stage which caches the config for performance, but does mean that .env changes won't take place until the cache is deleted or rebuilt.

@ssddanbrown commented on GitHub (Jun 8, 2022): @michaelwayneharris87 Okay, just delete that file. Sounds like `php artisan config:cache` has been ran at some stage which caches the config for performance, but does mean that `.env` changes won't take place until the cache is deleted or rebuilt.

OVERLORD commented

2026-02-05 05:25:26 +03:00

@michaelwayneharris87 commented on GitHub (Jun 8, 2022):

Wow that did it! thanks so much for your quick help! 🙏🙏🙏🙏

@michaelwayneharris87 commented on GitHub (Jun 8, 2022): Wow that did it! thanks so much for your quick help! 🙏🙏🙏🙏

OVERLORD commented

2026-02-05 05:25:29 +03:00

@ssddanbrown commented on GitHub (Jun 8, 2022):

@michaelwayneharris87 Happy to help, Will therefore close this off.

Just a note, you're on a year old version of BookStack. I ensure a list of important security & potentially breaking changes are listed here: https://www.bookstackapp.com/docs/admin/updates/#updating-to-v2108-or-higher

Most notably, the current version has a PHP 7.4 minimum requirement, and you'll want a recent version of composer. If it helps you plan an upgrade, we'd likely be raising the minimum PHP requirement to 8.0 towards the end of the year.

@ssddanbrown commented on GitHub (Jun 8, 2022): @michaelwayneharris87 Happy to help, Will therefore close this off. Just a note, you're on a year old version of BookStack. I ensure a list of important security & potentially breaking changes are listed here: https://www.bookstackapp.com/docs/admin/updates/#updating-to-v2108-or-higher Most notably, the current version has a PHP 7.4 minimum requirement, and you'll want a recent version of composer. If it helps you plan an upgrade, we'd likely be raising the minimum PHP requirement to 8.0 towards the end of the year.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2838