I have a private ikiwiki (3.20170111) which is running on a host that serves HTTP and HTTPS, but ikiwiki is configured for (and only served on) HTTPS: url: https://redacted/phd/ cgiurl: https://redacted/phd/cgi However, form submissions from ikiwiki are going to a HTTP URL and thus not being served. Example headers from submitting a comment: Request URL:https://redacted/phd/cgi Request Method:POST Status Code:302 Found Remote Address:redacted:443 Referrer Policy:no-referrer-when-downgrade Response Headers HTTP/1.1 302 Found Server: nginx/1.10.3 Date: Fri, 08 Dec 2017 11:53:35 GMT Content-Length: 0 Connection: keep-alive Status: 302 Found Location: http://redacted/phd/blog/38th_Dec/?updated#comment-bd0549eb2464b5ca0544f68e6c32221e > Your form submission was in fact done successfully. The failing redirection to http is > when ikiwiki follows up the successful edit by redirecting you from the form submission > URL to the updated page, which is done by `IkiWiki::redirect`. --[[smcv]] The CGI is served by lighttpd, but the whole site is front-ended by nginx, which reverse-proxies to lighttpd. ---- I think this might be to do with nginx not rewriting POST URLs when reverse-proxying, but I'm not sure why they would be generated in an HTTP form in any case, except perhaps by lighttpd's CGI handler since the back end is HTTP. A workaround is for nginx to redirect any HTTP URI to the HTTPS equivalent. I initially disabled that so as to have the path for letsencrypt negotiation not redirected.-- [[Users/Jon]] > Do you have the `reverse_proxy` option set to 1? (It affects how ikiwiki generates > self-referential URLs). > > Is the connection between nginx and lighttpd http or https? > > I think this is maybe a bug in `IkiWiki::redirect` when used in conjunction with > `reverse_proxy: 1`: when marked as behind a reverse proxy, > `IkiWiki::redirect` sent `Location: /phd/foo/bar/`, which your backend web > server might be misinterpreting. ikiwiki git master now sends > `Location: https://redacted/phd/foo/bar/` instead: does that resolve this > for you? > > Assuming nginx has a reasonable level of configuration, you can redirect http to https > for the entire server except `/.well-known/acme-challenge/` as a good way to bootstrap > ACME negotiation. --[[smcv]]