Hi there, First, tinymce uses an iframe for its pop-ups, so make sure you use: add_header X-Frame-Options SAMEORIGIN; and not: add_header X-Frame-Options DENY;
I have a feeling that the issue is with the iframe coming from http in an https page. Second, you definitely do not want to over-ride SSL_FORCE_URL_PREFIXES to exclude /admin since that would yield plain text auth (==BAD). If you are interested in SSL-only site, which I highly recommend, you may want to look at HSTS. I use it like the following in both the http (providing redirect) and https server blocks. add_header Strict-Transport-Security max-age=15768000; The max-age is in seconds, feel free to set this to a longer time period. I think the max allowed is around 2 years or 63072000. You might want to add these headers too, for completion: add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; Third, to make mezzanine SSL-only, I set Enable SSL to True in teh admin, and set SSL_FORCE_URL_PREFIXES="/" in my settings.py. Also a couple of things jump out at me. 1) Don't use rewrite for your redirect to https, use 'return 301', (it's more efficient). Use the following in your server block: return 301 https://www.example.com$request_uri; 2) Don't use alias in your location blocks, use root like this: location /static/ { root /path/to/project; ## The following are optional, and will not help with 404s. access_log off; log_not_found off; } Reference for that is here: http://nginx.org/en/docs/http/ngx_http_core_module.html#alias Cheers, Matt -- M. Summers "...there are no rules here -- we're trying to accomplish something." - Thomas A. Edison -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to mezzanine-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
