Koken SSL Issue, Resolved

The Problem

I recently started to test using Koken to self-host some of my photography work and I was having a lot of mysterious issues.  My server is configured running nginx and all domains are 100% SSL enabled (using Let’s Encrypt). There is no non-SSL access to any site on my server.  Koken is a PHP application built on the CodeIgniter framework, so for php-fpm is in the configuration mix too.

While Koken looks really nice, nice enough for me to spend time trying to resolve my issues, the support is pretty poor.  There are hundreds of posts related to these issues, which I have resolved with one configuration item in my nginx configuration.  I hope this might solve some problems for a lot of other people since development appears to be very slow.  Koken was sold recently and the new maintainers are not releasing updates that often.

The issues apear isolated to people running Koken on nginx with SSL only access.  Symptoms of the issue are:

  • SSL Mixed Content Warnings
  • Unable to Log in, despite using the correct password
  • Settings do not save
  • Themes will not apply
  • Cannot contact API error messages

Resolution

As it turns out, /api.php  is the primary way the application talks to itself, and /app/site/site.php  is the primary controller for things.  After a bunch of logging and debugging I noticed that site.php  was making a lot of calls to  api.php  using a non ssl uri.  For whatever reason these calls never made it to my 301 redirects (HTTP -> SSL) and would just silently fail – resulting in a bunch of strange issues where the site appears to “mostly work”, but a lot of core functionality seems broken.

Upon realizing that the application was calling the api from http instead of https I was hoping I could resolve the issue without modifying the source code.  I did not want to have fiddled with the source such that any time I update it, I would have to remember to patch the files.  After a bit of digging I found that Koken determines if a site is running SSL using the following code snippet from /app/site/Koken.php :

There are a number of places throughout the code which make reference to the $_SERVER['HTTPS']  variable, some deal with it properly, some do not.  The above snippet is just one example, to correct the issue in the code itself you would have modify 5 or 6 files.  While I feel the Koken developers can fix this on their end, or at least document the configuration change needed to correct it, the fix is quite simple.

In your fastcgi.conf, or the site configuration file, or wherever you store it, add the following line:

This will properly set the $_SERVER['HTTPS']  variable to something that will work with how Koken expects to reference it (like Apache), and everything will work fine.

The relevant sections of my entire working koken.conf file for nginx looks like this:

 

One thought on “Koken SSL Issue, Resolved

  1. Hi Brian.

    Excellent post – just what the Dr ordered!

    My particular problem was proxy related. Have a front-end Apache proxying to a different VM back-end. Ended up (before adding requestheader set HTTPS on) having mixed urls being used – index.php served correctly with https, with links (and ajax loads) on the page reverting to http – madness. This of course meant that users were seeing the SSL padlock for a fleeting moment, before the site reverted to “unsecure”.

    NOT good when you want to instill confidence, host the cart plugin and expect customers to enter payment details.

    Thanks again.
    –D.

Leave a Reply