I'am trying to install nopCommerce v.4.60.1 behind a reverse proxy (ARR & UrlRewrite) having the SSL certificates installed on the proxy with a non-secure connection between the proxy and the content server.
Because the above installation topology from the point of view of nopCommerce is an insecure connection (non-SSL), nopCommerce will create non-secure urls (http instead of https) to the response. One example is in onepagecheckout.js Billing object, where the save() function (line 147) makes an ajax call to a non-secure url, however because of the secure connection between the browser and the reverse proxy the browser recognises the page as secure and because the browser will not allow insecure calls (the Billing.save() ajax call) from a secure page, the call fails and the OnePageCheckout flow is halted.
I then tried to force nopCommerce to treat the connection as secure by setting HttpRequestFeature.Scheme to "https" implemented as an inline middleware in program.cs like this (in the example below, the protocol is hardcoded, however in reality the protocol will come from a header, conventionally X-Forwarded-Proto, added to the request by the reverse proxy):
app.Use(async (context, next) =>
{
var httpRequestFeature = context.Features.Get<IHttpRequestFeature>();
httpRequestFeature.Scheme = "https";
await next.Invoke();
});
Now, if I add the protocol setting middleware BEFORE app.ConfigureRequestPipeline();, I will get an immediate browser error, eg. in Chrome : "err_too_many_redirects" or in Firefox "The page isn’t redirecting properly".
If on the other hand I add the protocol setting middleware AFTER app.ConfigureRequestPipeline();, I will NOT get any immediate browser error, however I will get the insecure call in a secure page error when trying to OnePageCheckout.
Well, that is how far I have come with the problem, I wonder if anybody have tried the same nopCommerce installation topology (running behind a reverse proxy with the certificates installed on the proxy), if it resulted in the same problem (insecure urls generated by nopCommerce leading to insecure calls from a secure page in the browser) and if so how the problem was eventually resolved?
Note that I have also tried to signal the browser to upgrade all urls to secure by using this meta tag:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
, which make OnePageCheckout work in Chrome and Edge, but not in Firefox.
Last note : I have tried to install SSL certificates on the content server running without any reverse proxy in which case OnePageCheckout works without problems (urls generated by nopCommerce gets the correct protocol and therefore there are no insecure calls from within the secure page).