Yeah, new users are restricted to a certain number of links for spam protection reasons. I bumped your trust level, you should be fine now.
Issue #1: your backend does not know that the client is actually already using HTTPS (because to nginx it looks like http, given that haproxy does the SSL termination) - so it keeps redirecting to HTTPS. So you need to tell your backend that HTTPS is used. The way to usually do this (for example in wordpress), is to add the X-Forwarded-Proto header (in your frontend, for example):
http-request set-header X-Forwarded-Proto https if { ssl_fc }
If (but only if) your backend application considers this header, it won’t redirect to https anymore if it isn’t justified. Wordpress should understand this. Support in other backend applications may vary. Disabling HTTPS redirect in your application could be another workaround.
Issue 2: this is because a secure HTTPS site either includes insecure HTTP links, or other insecure elements. Use the development console (F12) of Chrome or Firefox to understand this. In this case, the error in the dev console in Chrome is:
Resources - non-secure form
This page includes a form with a non-secure “action” attribute.
Because the form action points to a insecure link (notice the http:// here instead of https://):
<form id="loginForm" action="http://pterodactyl.blechinger.io/auth/login" method="POST">
To solutions (that does not require to hardcode https in your application):
- use relative links from root, like
action="/auth/login": but this breaks when your application is installed in something other than / - use scheme agnostic links, like
action="//pterodactyl.blechinger.io/auth/login"
hope this helps,
lukas