HAProxy community

HAProxy and 'Loading mixed (insecure) display content' warnings on http backend

My homelab is hosting a node.js app. I’m using the HAProxy package on pfSense. I’m wanting to use HAProxy for SSL offloading. The backend node.js, and it’s mongoDB are http. When a user goes into the site there are warnings about ‘loading mixed (insecure) display content’, coming through from the app, and the padlock gives a warning that the connection is ‘not secure’ as result. they’re mostly linked with calls to the db.

This seems to be a common issue, but I’m struggling to grasp which option (for the frontend?) I need to add to solve this.
Would one of the http-request-header or http-resposne-header’ actions’ apply https to all responses coming out the backend server (I think that’s what I need to achieve)

Here’s my HAProxy config:

# Automaticaly generated, dont edit manually.
# Generated on: 2019-12-19 09:41
global
	maxconn			100
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend SpottingTrains_FE1
	bind			192.168.1.100:443 name 192.168.1.100:443   ssl crt-list /var/etc/haproxy/SpottingTrains_FE1.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	http-request add-header X-Forwarded-Proto https
	acl			aclcrt_SpottingTrains_FE1	var(txn.txnhost) -m reg -i ^www\.spottingtrains\.com(:([0-9]){1,5})?$
	acl			aclcrt_SpottingTrains_FE1	var(txn.txnhost) -m reg -i ^spottingtrains\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend PengellyBeckett1_BE_ipvANY  if   aclcrt_SpottingTrains_FE1

backend PengellyBeckett1_BE_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			pengellybeckettvm1 10.10.20.10:7331 id 101 check inter 1000

There is no option to solve this.

You application needs to use relative links or use https links instead. Haproxy will not rewrite HTTP payload for you.

Many thanks for your advice. Appreciated… before I waste my time thinking I had some options!

If it happens to help others the suggestion here to use https:// urls was the way this issue was resolved. I think I had assumed if the db and the parse server weren’t actually TLS themselves this might not work, but that was over thinking it perhaps. Prompt response here helped me figure this out quickly for which I’m v grateful.

1 Like