We have put up a varnish server in from of IIS.
We configured IIS to serve non SSL traffic to Varnish and then NGINX proxies everything for us in SSL (rewrites non SSL traffic to SSL) from Varnish local proxy.
Everything seems to work fine except for a few of those webresource scripts.
In the HTML the script tag is as follows. Using a relative path like my other scripts, ie jQuery, which load fine.
<script src="/ScriptResource.axd?d=6uPUkgsnuI6bNNqsGNPwyYxfMKrscMZRBRF2qryQunH79WGeJKinT5LSOz4dgI3pMcYvAuAL2CF8edx8jqS5kzCUSBNhkgtxn779pz4r4s4-EUnJ08DyzAMEVy9czI-nbL_zTBJ0Y-62dvqDT5tm7XxUtSCilM9esKhQq3SfIxM1&t=ca758f3" type="text/javascript">
But then all browsers are saying the content is loaded from non secure and blocked
Chrome's request headers
I did a fiddler to see what is going on. It seems like there is a redirect 301 on the script, form http to https.. ok, both load
But why on earth are browsing trying to load the scripts from http:// is the script tag is set to relative?
This only happens on these 3 webresouce files, all other scripts, non WebForm load just fine
Related
A website that I manage was currently turned via cpanel to redirect at https. Unfortunately a single site/folder/program works only in http and not in https (idk why).
Is there any rewrite rule that will force this site to load in http only?
The whole thing is made like this:
https://example.com --> HTTPS (ok and desired to be in https)
http://example.com/NastyWebApp --> HTTP (doesn't work in https)
What I need, is to force the NastyWebApp to load in http only.
Perhaps not the ideal solution, but a solution that will do the job, via Javascript:
<HTML><HEAD><title>Nasty Web App</title></HEAD>
<body><SCRIPT LANGUAGE="JavaScript">(window.location.replace("http://stackoverflow.com/nastywebapp.php"));
I've been having this error in Chrome Developer Tools for a while and I just can't seem to find the insecure http:// request. It points to my domain but without https://. http://www.example.com/ is not a script so I don't understand where it's coming from.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html'
was loaded over HTTPS, but requested an insecure script 'http://www.example.com/'. This request has been blocked;
the content must be served over HTTPS.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html'
was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.example.com/'.
This request has been blocked; the content must be served over HTTPS.
Thanks
I had a similar issue. Is the page you are hosting a single page application with HTML5/history/push-state routing?
This type of routing goes by many names, but what it does is replace your hash-based url https://address.com/page/#client/side/route with regular routes such as https://address.com/page/client/side/route. When the files are hosted with a static file server, the file server may not know about the client-side routing and return a 404 instead of routing everything to index.html. Apparently, this can lead to the problem you described in Chrome even though the page might appear to work.
In short, many static file hosting tools are not suitable to serve a SPA with HTML5 routing, notably http-server (https://github.com/indexzero/http-server/issues/80). Try a different tool (e.g. serve) or use nginx with try_files $uri $uri/ index.html.
This means your web page is being accessed over https, but it uses resources that are served over http. Modern browsers like Chrome consider this as a security risk. The browser does not load the http resources and shows a warning in the developers console.
The solution is to change the protocol method from http to https for all resources that are being accessed over http.
See this link: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content#alternatives_to_csp
I have 2 Windows 2012r2 Servers (Dev and Production) both running IIS 8. Both were configured identically as far I as know. I am in the process of installing wildcard certs on both of them.
I installed the cert on my Dev server and it's working. One thing that surprised me though was that I didn't have to add any additional bindings to any of my site configs (eg: I didn't add https/443) and just simply changing http to https in the browser is working, and showing the cert. Why is that?
My main question though is that on my Production server, before importing the wildcard cert, I tried simply changing the url for a couple of the domains I host from http to https in a browser to see what the result would be. When I do this I'm getting a redirect loop for all https tests. ???
I don't have any https URL Rewrites configured so I don't know what the cause of the redirect loop is. It does it for all sites on this server when trying to load it using https.
example:
http://mydomain.example.com (works)
https://mydomain.example.com (redirect loop)
Safari says, "...redirected you too many times. ERR_TOO_MANY_REDIRECTS"
Chrome says, "Too many redirects occurred..."
Additionally, if I load http://localhost on the server itself it works. If I load https://localhost I get an error, "Not Found - HTTP Error 404".
I should add that this Production server is behind an F5 Load Balancer so that could be playing into this behavior as well.
The cause of the redirect loop for all sites on the Production server was an irule on the F5 LB, that shouldn't have been there, that was looping port 443 back to itself. HTTPS for all sites worked after the irule was removed.
With regards to the Dev server and https sites working without having to add a binding. I also discovered that the F5 was configured to handle certs with a wildcard cert so local certs weren't even required. The data center team didn't communicate to me that the LB was configured to handle certs for these servers.
If a web page that's only served over HTTPS tries to load data (e.g. JSON) that's only available over "insecure" HTTP, Chrome blocks the request with a message that "This page is trying to load scripts from unauthenticated sources".
Is there a meta tag that can be added to the HTML page to override this, allowing the data to be loaded?
This is up to the browser and user now. It's not something you should try to disable.
Here's what you can do:
Change your external URLs to https if the external servers support it
Copy external scripts and serve them from your local server, if possible
If the above are not possible, you will need to setup a reverse proxy and serve them from there. Ex. if external content is at http://external.com/script.js , then change the URL to https://me.com/proxy/external.com/script.js, and have your proxy grab the insecure content and return it as required.
Here is my problem:
I have set magento to run under SSL setting the frontend secure option on admin to Yes
The site run under cloudflare
I set a page rule on cloudflare (according to the support instruction) that goes:
http://fabshopper.com/*
Always uses HTTPS
I'm using ultimo theme in magento
When I open the site in the browser it shows the HTTPS connection but most of the content is not load because the links are HTTP (including CSS, Script, images).
Ultimo theme is supposed to create link either HTTP or HTTPS according to the magento settings, but the link I'm getting are HTTP
I ran out off ideas :(
Can anyone give me an hint?
Thanks
I go through link provided by you and found many URLs loaded from insecure server. check below few of them:
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/skin/frontend/ultimo/fabshopper/images/fab_shopper.png': this content should also be loaded over HTTPS.
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/media/wysiwyg/autumn-cardigans.png': this content should also be loaded over HTTPS.
Just change the HTTP to HTTPS of all insecure urls and it will solve your problem.