Support

Is it possible that your site is behind a TLS termination proxy, or a different kind of reverse proxy (including NginX configured as a reverse proxy, Varnish, a public CDN, etc)?

In this case, the web server on your site won't possibly know if the site is being accessed over HTTPS unless the proxy sets the X-Forwarded-Proto HTTP header to https. This is not an HTTP header you'll read about in any version of the HTTP protocol specification; it's a de facto standard. It's also very easy for someone less experienced to set up a reverse proxy forgetting to enable this header.

It's a bit beyond the scope of our support, but I can give you some general pointers and information which will help you set up your server.

First, read Wikipedia's very good overview of how a reverse proxy works. The simple diagram they have is something you need to internalise to successfully troubleshoot these issues.

What listens to ports 80 (HTTP) and 443 (HTTPS) on your server is NginX, not Apache. When NginX receives a request, it may serve it from its cache (that's why we use it in the first place), or by proxying the request through Apache. The latter means that NginX asks Apache to handle the request, but the result is NOT sent directly to the visitor by Apache. Instead, it is intercepted by NginX, processed as needed, with the processed result finally handed over by NginX to the visitor.

As you noticed, this means that Apache is isolated from the outside world. It does not know if the request is HTTP or HTTPS. It does not know who is the visitor making this request. It only knows what NginX tells it. If you are familiar with the way the Oracle in Delphi operated in the ancient world, that's pretty much it; NginX is the priests interfacing with the visitors, Apache is the Oracle, sitting alone in a dark room, spitting out its prophecies. All communication between the visitors and the Oracle is mediated through the priests.

This means that regardless of whether the visitor is using HTTP or HTTPS, Apache will only ever see a plain old HTTP request coming from NginX. As a result, Apache will not set the HTTPS environment flag for HTTPS request; it doesn't know it's being used, as this is not exposed in the request itself. The solution to that is for NginX to pass the X-Fowarded-Proto HTTP header which conveys which protocol was used in the actual request: HTTP or HTTPS. This can be done by putting proxy_set_header X-Forwarded-Proto $scheme; above the proxy_pass directive in your NginX configuration file.

Another problem with this configuration is that Apache always sees the IP address NginX runs on (in your case, 127.0.0.1) as the source for all traffic. This makes blocking the IP address naughty requests come from impossible. NginX can convey the real IP address of the visitor in the X-Forwarded-For HTTP header which allows the software running under Apache (such as Joomla) to find out the real IP address of the visitor, with some extra steps. This can be done by putting proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; above the proxy_pass directive in your NginX configuration file. You MUST also go into Joomla's Global Configuration and set Behind Load Balancer to Yes which tells Joomla to use the X-Forwarded-For HTTP header to determine the visitor's IP address.

You're welcome! I am happy to have been able to help you :)