Options
Mixed content not in a response
![[Deleted User]](https://w4.vanillicon.com/v2/4ed16b89623dc1d93f8ab66a3474f5a6.svg)
in System
Hi All,
I'm facing a problem with my vThunder version 2.7.2-P10(build:85). I have to publish an internal application that, after the login, build a dynamic content by xmlhttprequest. I made a simple configuration with https on the VIP and full reverse proxy through app switching in the http template pointing to the application backend in http on port TCP/8124. I can reach correctly the login page but when I put credentials a blank page is showed. A deeper research tracking the application with the web developer tools of the browser shown a mixed content error. The application share some parameters by some xmlhttprequest but it reference to http content so the error is shown. The problem doesn't appear if I call directly in https on the application or If I replace a similar configuration on an apache frontend. I tried to intercept the response and rewrite them in htpps but the page referenced are not contained in any response header. Have you got any idea on how to debug it and resolve? I can't think that this configuration is possible in Apache but not in the A10 balancer.
Thank you in advance
Luca
I'm facing a problem with my vThunder version 2.7.2-P10(build:85). I have to publish an internal application that, after the login, build a dynamic content by xmlhttprequest. I made a simple configuration with https on the VIP and full reverse proxy through app switching in the http template pointing to the application backend in http on port TCP/8124. I can reach correctly the login page but when I put credentials a blank page is showed. A deeper research tracking the application with the web developer tools of the browser shown a mixed content error. The application share some parameters by some xmlhttprequest but it reference to http content so the error is shown. The problem doesn't appear if I call directly in https on the application or If I replace a similar configuration on an apache frontend. I tried to intercept the response and rewrite them in htpps but the page referenced are not contained in any response header. Have you got any idea on how to debug it and resolve? I can't think that this configuration is possible in Apache but not in the A10 balancer.
Thank you in advance
Luca
0
Comments
I expect the problem lies with the fact that you are doing SSL-Offloading on the vThunder and thus the backend service see HTTP requests rather than HTTPS.
As such in the dynamic content it is using HTTP based references.
As the more modern clients especially in secured environments with authentication, are actively blocking mixed content (when a site was contacted through HTTPS, but objects from that same site are also presented/referenced to through HTTP) this causes the issue you see.
What is required, is to look at all content, not just the headers, but the full content the backend is sending to the client and rewrite all the information there to make sure only HTTPS is used.
Apache solves this in 2 ways.
1. you set up full SSL proxy, and apache functions as both an SSL Server (for the client to connect to) and an SSL Client (to connect to the backend server)
now the backend server only sees HTTPS connections coming in and will (when configured properly) only return references to HTTPS objects.
2. if as you say you use Apache as a frontend and the issue does not occur, apache must be rewriting all http references in the content it delivers to the client. I suppose it uses mod_substitute automatically to do this.
With A10 you can do the same, but you will need to use aFlex.
# this aFleX collects the HTTP response and then replaces all instances of # the pattern "http://" in the payload with "https://" when HTTP_REQUEST { # remove "Accept-Encoding" header to make sure server doesn't send compressed response # (this is done automatically in Rel 2.6.1 and later) if { [HTTP::header exists "Accept-Encoding"] } { HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { # check Content-Type to avoid unnecessary collects if { [HTTP::header "Content-Type"] contains "text" } { HTTP::collect } } when HTTP_RESPONSE_DATA { set clen [HTTP::payload length] regsub -all "http://" [HTTP::payload] "https://" newdata HTTP::payload replace 0 $clen $newdata HTTP::release }thank you for your answer, yes I'm doing SSL offloading on my balancer. So I understand I need to put a specific aflex on this VIP? Have you got any example on what kind of job I should do to rewrite all the content?
Thanks
Luca
In the aFlex above, you might need to alter the content types to make sure you are really rewriting all, I am not sure if the responses are still just classified as text.
Thank you
Luca
Mixed Content: The page at 'https://<HOST>/syracuse-main/html/main.html?url=%3Frepresentation%3Dhome.%24navigation' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<HOST>/sdata/syracuse/collaboration/syracuse/$prototypes('userProfile.$edit')'. This request has been blocked; the content must be served over HTTPS.
Have you got any other hint on how to debug it?
Luca
In that case the search in the aFlex will not match your content nor the possible variables that need to be altered.
Further investigation on how this dynamic content is exactly created and what influences the scripting on the client side is required.
I'd suggest opening a case with our support.
They will require you to understand where the mixed content requests are originating, before they can help to see if this can be mitigated/taken care of on the A10.
At the moment it doesn't seem like a particular A10 issue to me.
When you use the Apache as SSL proxy, do the Apache and backend run on separate machines?
If that is not the case and they run on the same system, it seems logical to me that you then do not see this issue.