Hi,
Not sure anyone else is experiencing the same, but maybe someone could help. The CSWeb server (v8.0.1) is throwing us an error when accessed from the web domain:
Mixed Content: The page at 'https://***/roles' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://***/getRoles?draw=***'. This request has been blocked; the content must be served over HTTPS.
In this instance, the HTTP request endpoint is using the internal URL of the sever, which is strange because this URL was not configured anywhere in the app. The CSWEB API URL from the start was setup to use the external/domain HTTPS URL.
CSWEB Mixed Content: HTTPS load vs HTTP request
-
- Posts: 215
- Joined: November 21st, 2022, 4:41 pm
Re: CSWEB Mixed Content: HTTPS load vs HTTP request
Hello,
Please see this post on mixed active content. Changing the configuration to point to the https endpoint and deleting the cache should have CSWeb only use https instead of http.
Hope this helps,
Justin
Please see this post on mixed active content. Changing the configuration to point to the https endpoint and deleting the cache should have CSWeb only use https instead of http.
Hope this helps,
Justin
Re: CSWEB Mixed Content: HTTPS load vs HTTP request
Hi Justin,
Thanks for your reply. The API_URL is pointing to httpS since the initial setup. I've changed it in all possible combinations following your steps, but none worked.
Somehow the application refers to the internal server's http URL for the endpoint when it loads the users/roles tables.
If I access CSWeb on the internal network even while using its server httpS port everything works alright.
In the past we used an outbound rule in the URL Rewrite to force httpS while the API_URL was configured to the internal server's http URL, but that is not working in the latest CSWeb versions, I guess due to security enhancements.
Best regards,
iulian
Thanks for your reply. The API_URL is pointing to httpS since the initial setup. I've changed it in all possible combinations following your steps, but none worked.
Somehow the application refers to the internal server's http URL for the endpoint when it loads the users/roles tables.
If I access CSWeb on the internal network even while using its server httpS port everything works alright.
In the past we used an outbound rule in the URL Rewrite to force httpS while the API_URL was configured to the internal server's http URL, but that is not working in the latest CSWeb versions, I guess due to security enhancements.
Best regards,
iulian
Re: CSWEB Mixed Content: HTTPS load vs HTTP request
I am happy to follow up that a solution was found by disabling Compression. The issue apparently had to do with the Reverse Proxy and the following rule in the web.config file has fixed it:
<rule name="ReverseProxyInboundRule2" stopProcessing="true">
<match url="(certsrv/.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="http://scepserver.domain.com/{R:1}" logRewrittenUrl="true" />
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
Hope this is not in the detriment of the app itself.
<rule name="ReverseProxyInboundRule2" stopProcessing="true">
<match url="(certsrv/.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="http://scepserver.domain.com/{R:1}" logRewrittenUrl="true" />
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
Hope this is not in the detriment of the app itself.
-
- Posts: 1
- Joined: September 14th, 2024, 7:14 am
Re: CSWEB Mixed Content: HTTPS load vs HTTP request
Hello all,
I had the same error today, but I have deployed my CSWeb on a Linux environment with Apache and not with IIS.
I solved this issue by enabling the headers module and adding the following option to the VHhost of Apache.
Header always set Content-Security-Policy "upgrade-insecure-requests"
This forces all requests to be made via HTTPS.
hope it helps
Best regards
I had the same error today, but I have deployed my CSWeb on a Linux environment with Apache and not with IIS.
I solved this issue by enabling the headers module and adding the following option to the VHhost of Apache.
Header always set Content-Security-Policy "upgrade-insecure-requests"
This forces all requests to be made via HTTPS.
hope it helps
Best regards