SSL on Admin - Media Library fail

Topics: Administration, General
Mar 17 at 7:00 PM
Hi guys - I've run into trouble with my 1.7.2 install, MediaLibrary. We are running the admin site under SSL. When the media library "Import" screen is accessed, the browser blocks the content from rendering ("The page at 'https://www.MyDomain.com/Admin/Orchard.MediaLibrary/Import?folderPath=Sliders' was loaded over HTTPS, but ran insecure content from 'http://www.MyDomain.com/Modules/Orchard.MediaLibrary/scripts/knockout-2.3.0.js': this content should also be loaded over HTTPS.")

Even if the user overrides the 'mixed content' warning (little grey shield on the right of the address bar in Chrome), a new and worse message is displayed:

"Uncaught SecurityError: Blocked a frame with origin "http://www.MyDomain.com" from accessing a frame with origin "https://www.MyDomain.com". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match."

Aargh! This is preventing any media management from being performed on the site. Short of accessing the site over http, what can I do to fix this issue? I've looked through the MediaLibrary module but I don't see any hard-coded "http:" references in there.

This is a bit of a show-stopper and my client is understandably frustrated. Any thoughts?

Thanks.

Kurt
Coordinator
Mar 17 at 7:04 PM
I can't reproduce this. How did you set-up SSL?
Mar 17 at 7:20 PM
Hi Bertrand - thanks for the quick reply!

I am having the same issue whether running locally with a cert I got from "StartSSL", and in staging & production which are running on Azure with the cert installed via the Azure Websites admin. The certs seem to be working fine, particularly on live / staging.

I am forcing SSL on the admin via a filter I wrote myself (code below). Any thoughts on how to overcome this?

Thanks again!

Kurt

=============

public void OnActionExecuting(ActionExecutingContext filterContext)
{
// check if this request is from our module - if not, switch to http if necessary
if (IsIgnoredArea(filterContext))
return;

HttpRequestBase req = filterContext.HttpContext.Request;
UriBuilder builder = null;

bool isAdmin = IsAdmin(filterContext);

if (isAdmin) //&& !req.IsLocal NOTE: don't commit this
{
if (!req.IsSecureConnection)
{
// switch to SSL
builder = new UriBuilder(req.Url)
{
Scheme = Uri.UriSchemeHttps,
Port = 443
};
}
}
else
{
if (req.IsSecureConnection)
{
// switch to http
builder = new UriBuilder(req.Url)
{
Scheme = Uri.UriSchemeHttp,
Port = 80
};
}
}

if (builder != null)
{
filterContext.Result = new RedirectResult(builder.Uri.ToString());
}
}


From: "BertrandLeRoy" <[email removed]>
Sent: Monday, March 17, 2014 10:05 AM
To: [email removed]
Subject: Re: SSL on Admin - Media Library fail [orchard:539269]


From: BertrandLeRoy

I can't reproduce this. How did you set-up SSL?
Mar 17 at 10:33 PM
Figured out the problem: my "SSL checker" needs to determine whether or not we are in an "admin" page. So, per request I break up the url into segments and look for a segment called "admin". No problem. BUT: the MediaLibrary module serves up content as [domain]/Orchard.MediaLibrary/[path]. No admin! So I just added "Orchard.MediaLibrary" to the set of "admin" url segments and she's a work like a charm.

Thanks for looking into this Bertrand.

Kurt
Coordinator
Mar 23 at 9:42 PM
There is an API to check if you are under an admin page: AdminFilter.IsAdmin. A search for an "admin" segment in the url is insufficient (there is no guarantee that an admin page would have it). White listing admin pages just won't do the trick, it's just plain wrong.

Also, I don't understand why you are doing this in the first place: the SSL feature, if activated and properly configured, will enforce https on all admin pages out of the box.
Mar 25 at 5:19 AM
Thanks for that tip Bertrand - I will definitely replace my admin check with the "IsAdmin" API call. I wasn't aware of it's existence :-/

I wasn't able to get the SSL module to work on my site. We are hosted on Azure websites, and only part of my public-facing site is SSL protected; of course, the whole admin area is as well. Try as I might, I could not configure the site / Azure to reliably switch from SSL to non-SSL between the various pages I needed it to, so I wrote my own filter to do what I needed. Works great, no problems at all so far. Except for MediaLibrary bombing because, uh, it doesn't have admin" in the path segments. D'oh!

So, all good and a nice enhancement to make to the code thanks to your tip! Look forward to seeing you at Harvest this summer - I'll be there.

Kurt


From: "BertrandLeRoy" <[email removed]>
Sent: Sunday, March 23, 2014 12:43 PM
To: [email removed]
Subject: Re: SSL on Admin - Media Library fail [orchard:539269]


From: BertrandLeRoy

There is an API to check if you are under an admin page: AdminFilter.IsAdmin. A search for an "admin" segment in the url is insufficient (there is no guarantee that an admin page would have it). White listing admin pages just won't do the trick, it's just plain wrong.

Also, I don't understand why you are doing this in the first place: the SSL feature, if activated and properly configured, will enforce https on all admin pages out of the box.