Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy and 'Loading mixed (insecure) display content' warnings on http backend

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      revmarkp
      last edited by

      My homelab is hosting a node.js app. I'm using HAProxy on pfSense in front of it so that I can if needed scale up the number of backend VMs running the app. I'm also using HAProxy for SSL offloading. The backend node.js, and it's mongoDB are http. All is fine with my 3rd party TLS certs being seen on the homepage (green padlock etc). However when a user goes into the site there are many warnings about 'loading mixed (insecure) display content', coming through from the app, and the padlock gives a warning that the connection is 'not secure' as result. they're mostly linked with calls to the db.

      This seems to be a common issue, but I'm struggling to grasp which option (for the frontend?) I need to add to solve this.
      Would one of the http-request-header or http-resposne-header' actions' apply https to all responses coming out the backend server (I think that's what I need to achieve)

      Here's my HAProxy config:

      
      # Automaticaly generated, dont edit manually.
      # Generated on: 2019-12-19 09:41
      global
      	maxconn			100
      	stats socket /tmp/haproxy.socket level admin 
      	uid			80
      	gid			80
      	nbproc			1
      	hard-stop-after		15m
      	chroot				/tmp/haproxy_chroot
      	daemon
      	tune.ssl.default-dh-param	2048
      	server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
      	bind 127.0.0.1:2200 name localstats
      	mode http
      	stats enable
      	stats admin if TRUE
      	stats show-legends
      	stats uri /haproxy/haproxy_stats.php?haproxystats=1
      	timeout client 5000
      	timeout connect 5000
      	timeout server 5000
      
      frontend SpottingTrains_FE1
      	bind			192.168.1.100:443 name 192.168.1.100:443   ssl crt-list /var/etc/haproxy/SpottingTrains_FE1.crt_list  
      	mode			http
      	log			global
      	option			http-keep-alive
      	timeout client		30000
      	http-request add-header X-Forwarded-Proto https
      	acl			aclcrt_SpottingTrains_FE1	var(txn.txnhost) -m reg -i ^www\.spottingtrains\.com(:([0-9]){1,5})?$
      	acl			aclcrt_SpottingTrains_FE1	var(txn.txnhost) -m reg -i ^spottingtrains\.com(:([0-9]){1,5})?$
      	http-request set-var(txn.txnhost) hdr(host)
      	use_backend PengellyBeckett1_BE_ipvANY  if   aclcrt_SpottingTrains_FE1
      
      backend PengellyBeckett1_BE_ipvANY
      	mode			http
      	id			100
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			pengellybeckettvm1 10.10.20.10:7331 id 101 check inter 1000
      

      [192.168.1.100 is the WAN IP from another router]

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @revmarkp
        last edited by

        @revmarkp
        A browser will usually not connect to a DB.. not sure where you got that idea..

        As for the app, it might load javascript, or perform additional requests for some json data or include a image or anything that should be loaded from the webserver...
        If the page that is served contains absolute url's to such resources and points them to http://x.y.z/resource.js then then the browser will complain about mixed content for your https site.. The best solution is probably to get rid of those absolute urls.. As a workaround you could possibly add the "Content-Security-Policy: upgrade-insecure-requests;" header in the responses from haproxy.. That can be done with a 'Action' in the package..

        1 Reply Last reply Reply Quote 0
        • R
          revmarkp
          last edited by

          Many thanks for your response PIBa...

          Since posting my question I have learned that re-writing the headers, using actions in HAProxy is not going to help rewrite the content of the pages themselves (my bad, I'm a noob). The calls to the MongoDB were not direct as you suggested, they were indirect responses from the parseserver app. The solution has been to simply tell the db to declare these https:// urls and that works fine. I had assumed if the db and the parse server weren't actually TLS themselves this might not work, but that was over thinking it perhaps.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.