Monica: Form action URLs on HTTP while Monica instance is on HTTPS

Created on 4 Jul 2018 · 10Comments · Source: monicahq/monica

Describe the bug
My instance of Monica is on HTTPS. When I try to delete a call or add an activity I get the following error from Firefox:

The information you have entered on this page will be sent over an insecure connection and could be read by a third party.

Are you sure you want to send this information?

This is caused by the form action being on HTTP while the page is on HTTPS. For example, this line of code on the page <form method="POST" action="http://example.mywebsite.com/activities/store/h:KJPRLXvBmbVZDonyQ2"> needs to be changed to <form method="POST" action="https://example.mywebsite.com/activities/store/h:KJPRLXvBmbVZDonyQ2">. If it's not changed then I get the following Laravel (I think it's Laravel) error: Whoops, looks like something went wrong.. I changed that line of HTML with Dev Tools and everything worked great. So, currently, in order to add an activity or preform something similar I need to manually edit the HTML code. All of the form action URLs should be on HTTPS if the Monica instance is on HTTPS, right? If that were true then my issue would be solved.

Screenshots
https://imgur.com/a/TFyhN0G
(GitHub wouldn't let me upload the images for some reason)

Which version are you using:

A server I maintain myself running version 2.3.1

Additional context
None

Source

HHousen

👍5

Most helpful comment

Hello, I had the same issue running Monica on Docker(Swarm mode) with Traefik as a reverse proxy. As @asbiin mentioned, I solved the issue by setting APP_TRUSTED_PROXIES="*" on my .env file. On .env.example it says:

Set trusted proxy IP addresses.
To trust all proxies that connect directly to your server, use a "*".
To trust one or more specific proxies that connect directly to your server, use a comma separated list of IP addresses.

Maybe @asbiin can further explain how this should be set up. Please let me know if this works for any of you.

ghost on 24 Aug 2018

🎉1 👍1

All 10 comments

Same issue with the latest docker image (also v2.3.1) on my end. I just want to add that I specified the APP_URL env variable including the https scheme in case that should make a difference.

kiliankoe on 14 Jul 2018

The APP_URL is only used to generate the links for emails.
You can try to set the Laravel's trusted proxy property. Use the APP_TRUSTED_PROXIESenvironment property to set it.

asbiin on 21 Aug 2018

👍1

@asbiin What should I set the APP_TRUSTED_PROXIES environment variable to? Should I set it to the same thing APP_URL is set to or just https or something else?

HHousen on 21 Aug 2018

Set trusted proxy IP addresses.
To trust all proxies that connect directly to your server, use a "*".
To trust one or more specific proxies that connect directly to your server, use a comma separated list of IP addresses.

Maybe @asbiin can further explain how this should be set up. Please let me know if this works for any of you.

ghost on 24 Aug 2018

🎉1 👍1

Indeed, the APP_TRUSTED_PROXIES variable must list the ip addresses you want to whitelist.
We will document the .env file soon.

asbiin on 25 Aug 2018

Setting the APP_TRUSTED_PROXIES variable to * worked for me as suggested by @grojas7. I believe that this issue can now be closed since a solution has been found.

HHousen on 25 Aug 2018

Note for anyone else who is looking for this, after making .env changes, you seem to need to have to run composer install --no-interaction --no-suggest --no-dev and php artisan setup:production in order for them to take. Database seems to not be affected, but this resolved my reverse proxy issue.

IronTooch on 3 Sep 2018

@IronTooch this is due to config caching. php artisan setup:production recache config, but you can do it with php artisan config:cache

asbiin on 3 Sep 2018

We faced this issue in the Cloudron package as well where monica is behind a reverse proxy. Setting APP_TRUSTED_PROXIES=* solves the issue.

For some reason, deleting the bootstrap/cache/route.php (or php artisan route:clear) also makes it work and in that case APP_TRUSTED_PROXIES can remain unset and it works just fine! I don't know lavarel enough to understand why this is the case.