HAProxy community

Mixed content warning

Hi All,

I’m facing an issue with the following new architecture.

HAProxy manages the HTTPS https://mydomain client requests to access the backend HTTP IIS application server.

Global accesses to the application work fine, but pages request insecure frames http://mydomain.

I was looking to modify the HAProxy response to switch http to https, but I don’t know if this is the best practice.

Could someone help?
Thank you,
Thomas

Hello,

Even if you instruct HAProxy to redirect HTTP request to HTTPS, the browsers will block it. The request is blocked at a browser level, so the request doesn’t even leave the client’s terminal.
You should instruct your application to make HTTPS calls instead of HTTP (instead of calling “http://domain/img/pic1.png” you should use “https://domain/img/pic1.png” or even better, use relative links, like “/img/pic1.png”, therefor ignoring the protocol)

Regards,
Silviu

1 Like

Hi Silviu,
OK for the browser behaviour explanation.
We don’t wan’t that the backend application server supports SSL configuration, to manage the certificats only on the HAProxy.
So the only way should be the use of relativ URL’s in the IIS application side ? That means probably a huge code review…
No way to force IIS header Protocol responses translation from http to https if the HAProxy cannot intercept app response?

BR
Thomas

We don’t wan’t that the backend application server supports SSL configuration, to manage the certificats only on the HAProxy.

The IIS won’t support SSL, it will just launch the request using HTTPS protocol, instead of HTTP. But this is done via the app.

So the only way should be the use of relativ URL’s in the IIS application side ? That means probably a huge code review…

Depending on the app, you might have a variable which dictates the protocol to use / that defines the full URL. Wordpress has the site_url and home_url variables that you can change from http://domain to https://domain and will force all requests to be launched via HTTPS.

No way to force IIS header Protocol responses translation from http to https if the HAProxy cannot intercept app response?

I can’t say, unfortunately, since I haven’t played with IIS, but I don’t think there’s such thing. Probably you can do it via an interpreter that would translate all http:// to https:// but that’s a weird workaround and, to be honest, I wouldn’t do that.
Still, you don’t want your responses to be translated to https. You want to send the client links using https.
For example:
The client requests index.html. Index.html needs the following image for background: background.png.
You’re basically sending the client the index.html file that requires HTTP://domain/background.png and the client’s browser launches a new request to get that resource. Well, you need to change that HTTP to HTTPS.
The easiest way would be to change the variable dictating the protocol or, if that’s unavailable, code review and change http to https. That can be done via sed on Linux. I’ve used it in the past with success to change custom made apps that used to have links hardcoded.
For example:
sed -i "s/http:\/\/domain/https:\/\/domain/g" /var/www/domain/*
Where /var/www/domain is the webroot. The weird "\/" is needed to escape the “/” character.
The sed command above will go through all the files in the webroot (/var/www/domain/*), find occurrences of http://domain and replace inline with https://domain