Mixed content not in a response

Community Forum Forums Thunder and AX Series General Mixed content not in a response

This topic contains 7 replies, has 2 voices, and was last updated by avatar luca.dm 2 months, 2 weeks ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #12602
    avatar
    luca.dm
    Member

    Hi All,
    I’m facing a problem with my vThunder version 2.7.2-P10(build:85). I have to publish an internal application that, after the login, build a dynamic content by xmlhttprequest. I made a simple configuration with https on the VIP and full reverse proxy through app switching in the http template pointing to the application backend in http on port TCP/8124. I can reach correctly the login page but when I put credentials a blank page is showed. A deeper research tracking the application with the web developer tools of the browser shown a mixed content error. The application share some parameters by some xmlhttprequest but it reference to http content so the error is shown. The problem doesn’t appear if I call directly in https on the application or If I replace a similar configuration on an apache frontend. I tried to intercept the response and rewrite them in htpps but the page referenced are not contained in any response header. Have you got any idea on how to debug it and resolve? I can’t think that this configuration is possible in Apache but not in the A10 balancer.

    Thank you in advance

    Luca

    #12612
    avatar
    diederik
    Member

    Hello,

    I expect the problem lies with the fact that you are doing SSL-Offloading on the vThunder and thus the backend service see HTTP requests rather than HTTPS.
    As such in the dynamic content it is using HTTP based references.

    As the more modern clients especially in secured environments with authentication, are actively blocking mixed content (when a site was contacted through HTTPS, but objects from that same site are also presented/referenced to through HTTP) this causes the issue you see.

    What is required, is to look at all content, not just the headers, but the full content the backend is sending to the client and rewrite all the information there to make sure only HTTPS is used.

    Apache solves this in 2 ways.

    1. you set up full SSL proxy, and apache functions as both an SSL Server (for the client to connect to) and an SSL Client (to connect to the backend server)
    now the backend server only sees HTTPS connections coming in and will (when configured properly) only return references to HTTPS objects.

    2. if as you say you use Apache as a frontend and the issue does not occur, apache must be rewriting all http references in the content it delivers to the client. I suppose it uses mod_substitute automatically to do this.

    With A10 you can do the same, but you will need to use aFlex.

    
    # this aFleX collects the HTTP response and then replaces all instances of
    # the pattern "http://" in the payload with "https://"
    when HTTP_REQUEST {
      # remove "Accept-Encoding" header to make sure server doesn't send compressed response
      # (this is done automatically in Rel 2.6.1 and later)
      if { [HTTP::header exists "Accept-Encoding"] } {
        HTTP::header remove "Accept-Encoding"
      }
    }
    
    when HTTP_RESPONSE {
      # check Content-Type to avoid unnecessary collects
      if { [HTTP::header "Content-Type"] contains "text" } {
        HTTP::collect
      }
    }
    
    when HTTP_RESPONSE_DATA {
      set clen [HTTP::payload length]
      regsub -all "http://" [HTTP::payload] "https://" newdata
      HTTP::payload replace 0 $clen $newdata
      HTTP::release
    }
    
    • This reply was modified 2 months, 2 weeks ago by avatar diederik.
    #12622
    avatar
    luca.dm
    Member

    hi Diederik,
    thank you for your answer, yes I’m doing SSL offloading on my balancer. So I understand I need to put a specific aflex on this VIP? Have you got any example on what kind of job I should do to rewrite all the content?

    Thanks

    Luca

    #12642
    avatar
    diederik
    Member

    One more thing to note… if you use any kind of scripting/includes in your websites, they might references external insecure content to be included, that could constitute mixed content and be blocked by the client as well.

    In the aFlex above, you might need to alter the content types to make sure you are really rewriting all, I am not sure if the responses are still just classified as text.

    • This reply was modified 2 months, 2 weeks ago by avatar diederik.
    #12662
    avatar
    luca.dm
    Member

    Sorry, I didn’t see all the message you sent me first. I will give it a try and will tell you the results.

    Thank you

    Luca

    #12672
    avatar
    luca.dm
    Member

    Unfortunately it doesn’t work. I can see the aflex is hitted (increasing counters on the monitor mode) but I obtain the same error:

    Mixed Content: The page at ‘https://<HOST>/syracuse-main/html/main.html?url=%3Frepresentation%3Dhome.%24navigation’ was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ‘http://<HOST>/sdata/syracuse/collaboration/syracuse/$prototypes(‘userProfile.$edit’)’. This request has been blocked; the content must be served over HTTPS.

    Have you got any other hint on how to debug it?

    Luca

    #12682
    avatar
    diederik
    Member

    You probably have javascript or API calls that combine multiple variables to construct the HTTP request on the client side?
    In that case the search in the aFlex will not match your content nor the possible variables that need to be altered.

    Further investigation on how this dynamic content is exactly created and what influences the scripting on the client side is required.

    I’d suggest opening a case with our support.
    They will require you to understand where the mixed content requests are originating, before they can help to see if this can be mitigated/taken care of on the A10.

    At the moment it doesn’t seem like a particular A10 issue to me.

    When you use the Apache as SSL proxy, do the Apache and backend run on separate machines?
    If that is not the case and they run on the same system, it seems logical to me that you then do not see this issue.

    • This reply was modified 2 months, 2 weeks ago by avatar diederik.
    #12702
    avatar
    luca.dm
    Member

    Yes there are some Javascript but is not so simple understand how the http request is built. The Apache was on a separate machine tried by my colleague and it worked fine without any particular configuration. It seems that the problem is only through the balancer but we are not able to investigate further.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Comments are closed.