Hi there, First, tinymce uses an iframe for its pop-ups, so make sure you use: add_header X-Frame-Options SAMEORIGIN; and not: add_header X-Frame-Options DENY;
I have a feeling that the issue is with the iframe coming from http in an https page. Second, you definitely do not want to over-ride SSL_FORCE_URL_PREFIXES to exclude /admin since that would yield plain text auth (==BAD). If you are interested in SSL-only site, which I highly recommend, you may want to look at HSTS. I use it like the following in both the http (providing redirect) and https server blocks. add_header Strict-Transport-Security max-age=15768000; The max-age is in seconds, feel free to set this to a longer time period. I think the max allowed is around 2 years or 63072000. You might want to add these headers too, for completion: add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; Third, to make mezzanine SSL-only, I set Enable SSL to True in teh admin, and set SSL_FORCE_URL_PREFIXES="/" in my settings.py. Also a couple of things jump out at me. 1) Don't use rewrite for your redirect to https, use 'return 301', (it's more efficient). Use the following in your server block: return 301 https://www.example.com$request_uri; 2) Don't use alias in your location blocks, use root like this: location /static/ { root /path/to/project; ## The following are optional, and will not help with 404s. access_log off; log_not_found off; } Reference for that is here: http://nginx.org/en/docs/http/ngx_http_core_module.html#alias Cheers, Matt -- M. Summers "...there are no rules here -- we're trying to accomplish something." - Thomas A. Edison -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
