Home Home
  login

Gemini Community Support Site

This Gemini community support site can be used to find solutions to product issues. You can log in using Open Id, Google Profile and even Facebook. Feel free to ask a question or browse FAQs and documentation. Product tour videos are also available along with how-to videos demonstrating key Gemini capabilities.




Problem with creating new items when using SSL encryption

usage
items
security

Hi all,

If we connect to our gemini server without SSL (i.e. http://gemini.ourcompany.com/) and then click to create a new item we have problems and it all works brilliantly.

If we use SSL (i.e. https://gemini.ourcompany.com/) and click to create a new item, it all still works pretty well, but we get the ie9 prompt of "only secure content is displayed" which would suggest that some elements are being drawn from a non SSL server somewhere.

Is this a config we've missed, or is it pulling from some external resource somewhere?

Thanks,

PeterJ
· 1
PeterJ
Replies (19)
helpful
0
not helpful

Check the Gemini URL settings on the Administration >> General Page. If you set this to :

https://gemini.ourcompany.com/

Do you still get the warning ?


Dave Long
· 1
Dave Long
helpful
0
not helpful

Afraid so yes - we had already set it to the https:// so still having the issue

··· ok, suggest you run fiddler (http://www.fiddler2.com/fiddler2/) and see what resource it's trying to load on HTTP ?Dave LongThursday, May 26, 2011, 12:32:05 PM

PeterJ
· 1
PeterJ
helpful
0
not helpful

Which version of Gemini are you running? Is it only the new item page that gets that message? Have you changed anything (added images) in Gemini?

FYI - we have many customers (installed and hosted) using SSL with no issues.


Mark Wing
· 9108
Mark Wing
helpful
0
not helpful

We're running 4.0.1 build 3038

Having a quick skim through the Project admin pages have the same ssl warning :

Project Admin->Default Values Project Admin->Version Attributes Project Admin->Project Attributes

The others are all fine.

In Global Admin, we see the same warning on Global>General, Security>General. again all others are fine.

If it helps, On GlobalAdmin>Global>General, the Welcome Message text box is missing it's toolbar until we click the Show all content at which point it appears.

on GlobalAdmin>Security>General, the Help Desk Welcome message is in courier font and shows < p > < span > etc. etc. etc.

until we click Show All content at which point it gets it's toolbar and flips to showing the text in a larger font correctly.

Could it be an absolute reference to a stylesheet somewhere?


PeterJ
· 1
PeterJ
helpful
0
not helpful

Seems like a tinyMCE issue (although we cannot reproduce it yet!). Can you please try and change the editor (Administration -> General under items) to RAD? Once you have done so, do you get a warning when clicking on new item?


Mark Wing
· 9108
Mark Wing
helpful
0
not helpful

I couldn't see RAD, but did have Rich Text Box and text box, and if I select either of those then the warning message doesn't appear, so yep looks like it's when it's using the tinyMCE option.

(Also forgot to mention earlier when you asked - we're running pretty vanilla and haven't altered any files/images or templates etc. and the only thing we've done within Gemini itself is tweaked the workflow and obviously added Projects, Project Components, version and items)


PeterJ
· 1
PeterJ
helpful
0
not helpful

Ok, so on the pages where it happens now, can you view source and check if references to tinyMCE use HTTP? Are there any?


Mark Wing
· 9108
Mark Wing
helpful
0
not helpful

hmmm - not that I can see easily with a straight forward FIND in the Source (but I could be missing them!)

Could they be in a script file thats being referenced or something?


PeterJ
· 1
PeterJ
helpful
0
not helpful

suggest you run fiddler (http://www.fiddler2.com/fiddler2/) and see what resource it's trying to load on HTTP ?


Dave Long
· 1
Dave Long
helpful
0
not helpful

Ah, possibly something.

The very last request that fiddler shows (neat app btw!) is an http get of GET /Gemini/js/tiny_mce/langs/en.js HTTP/1.1 which is not being requested from https://gemini.ourcompany.com, instead it's being requested by http direct from the actual servername of the server gemini is installed on - http://internalgeminiserver.ad.ourcompany.com/


PeterJ
· 1
PeterJ
helpful
0
not helpful

In your web.Config, theres a TinyMCE setting called "relative_urls" - by default, this is set to false, try set this to true and see if this fixes the issue (just as a proof of concept - I wouldn't recommend leaving this on true as you may end up with invalid image paths etc in your issues...)


Dave Long
· 1
Dave Long
helpful
0
not helpful

Sorry, still has the same problem regardless of that setting


PeterJ
· 1
PeterJ
helpful
0
not helpful

Can you describe the network infasructure a bit.. ie: is https://gemini.outcompany.com being NAT'd or IP redirected.. and if you browse to Gemini on the actual server it's installed on can you use the https://gemini.ourcompany.com ?

Am just confused as to why TinyMCE would be trying to use a different URL - and where it's getting a reference to that URL from ?


Dave Long
· 1
Dave Long
helpful
0
not helpful

no problem.

Gemini.ourcompany.com actually resolves to the real world ip address of an ISA2006 Server listening on both HTTP and HTTPS

There is an ISA Web Listener on this ip address listening on both 80 and 443 set up to allow http basic and integrated authentication

the ISA server has a Publishing rule for /Gemini/* that exposes the internal server location http://internalgeminiserver.ad.ourcompany.com:8080/Gemini/*

(its on 8080 because there is another web server already running on 80)

We have several different "servers" exposed this way (some of our own web services, Microsoft Exchange and a few others) and we've set this up the same way to make sure it (in theory!) should work.

We're using Integrated authentication in Gemini and that all seems to be working perfectly.

I could arrange a user account in gemini for you to try it out direct if that may help?


PeterJ
· 1
PeterJ
helpful
0
not helpful

Hi Peter

I suspect what is happening here is that the TinyMCE .NET DLL (MoxieCode.TinyMCE.dll) is resolving to the Internal URL (maybe from the host headers, or the Site Config or something guess ) at run time and returning that URL as tinyMCE's base URL to the page to load... as the External Address used in the Request is not accessible from inside the ISA server

Drop me a mail to dave AT itbsoftware.co.za and I'll hapilly take a look, but it's likely going to take a few trial and error type approaches before we can resolve the issue.

Dave


Dave Long
· 1
Dave Long
helpful
0
not helpful

Hi Again...

Thinking about it more this makes sense as to whats happening... ISA is translating the URL to the internal address, so when the webserver receives the request, it's on "http://gemininternal.....com:8080/Gemini/" - this is then not getting translated back when it goes through the ISA Web Listner...

So... a possible solution... but a bit of a hack that may work...

1st.. is the Gemini Instance Only ever accessed on the https://gemini.ourcompany.com URL ? ie: no-one is using gemini directly on the internal URL ?

if the above is tru, then we may be able to hack the tinyMCE init scripts to solve the problem for your specific scenario...

open the file /js/tinymce/tiny_mce.js and "find" the following code snippet...

{b.ScriptLoader.add(this.urls[e]+"/langs/"+d.language+".js")}

change this to :

{b.ScriptLoader.add("/langs/"+d.language+".js")}

and then try the request again ?

Note, if anyone is accessing this from the internal URL the above change will break things for them, as the internal URL is running on a virtual directory, so changing the path to root relative will break it... if they are, you can probably find a simple script to check the request URL and then return an appropriate result for each case ?

Hope this helps, Dave


Dave Long
· 1
Dave Long
helpful
0
not helpful

You've hit that one squarely on the head!

Changing that line does indeed fix it!

That gets us going nicely - once we're ready to move it to full production we're actually going to move it to a different server where it can run on 80 instead of 8080 and then we can just set isa to forward the original headers in which case tinymce can go ahead and use it's original line of code as it will be recieving the proper url.

Job done :)

··· Excellent! Glad it helped :-)Dave LongThursday, May 26, 2011, 3:20:45 PM

PeterJ
· 1
PeterJ
helpful
0
not helpful

Oh, and here also....

sl.add(tinymce.baseURL + '/langs/' + s.language + '.js');

Seeing this one, you may be able to add a base_url setting to the gemini web.config file that would mean you don;t need to change these scripts... but same internal vs. external problem as above would still exist...


Dave Long
· 1
Dave Long
helpful
1
not helpful

Well, it turned out to be a little more complicated than all of the above, and huge thanks to Dave Long for spending a good amount of time working on it with me.

It looks like a problem within tinyMCE where it's writing absolute URLS instead of relative ones, and then ISA isn't rewriting these when passing the response back to the client browser.

So the ISA Server recieves a URL request for the external website url and edits the header to turn the URL into an internal request and passes it on to the internal IIS server.

tinyMCE uses this internal address to create the urls and it gets passed all the way back to the client. The client browser then ends up trying to access resources using the internal URL which is obviously not visible from the outside world.

To workaround this, we had to change the local IIS to run on port 80 and port 443 (so it will work with SSL and plain) rather than 8080, and also then in ISA turn on the option to preserve the original header - therefore tinyMCE is still writing absolute URLs instead of relatives, but at least they are absolutes to the 'realworld' URL instead.

Hope that makes sense!

Dave is going to take a further look to see if the tinyMCE can use a basepath instead of an absolute

thanks again dave!


PeterJ
· 1
PeterJ