Re: HAProxy w/SSL termination mixed content issue.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The load balancer is just HAProxy on a Linux box (Ubuntu, but totally irrelevant, I think).  While I can do SSL passthrough, I'm still stumped as to why this is a problem.  The media listed does have 'http://' items listed, but what doesn't make sense is that the server I'm pulling from doesn't have that problem when it's pure HTTPS.  I would think absolute URLs on the web server would have shown up while it has SSL on the server itself.  That's what makes no sense to me.

However, I do appreciate the headsup for SSLdump.  I'd forgotten that tool existed, which makes it a bit easier to move back to SSL Passthrough. However, the OCD in me just can't let this lie without an answer.  Based on what I understand of the SSL termination config, haproxy is supposed to encrypt everything it gets from the HTTP web server so that the client sees nothing but HTTPS packets.  For some reason, it's not doing that and that bugs me.  


On Fri, Feb 12, 2016 at 10:18 AM, Gordon Messmer <gordon.messmer@xxxxxxxxx> wrote:
On 02/12/2016 05:53 AM, Mark Haney wrote:
When I pull it through the load balancer (HTTPS) it doesn't with an error about mixed content.
...
Or can someone begin to tell me where to start debugging.

View the source of the page in FF, and look for the string "http://"

Something in the site is generating absolute URLs; you want it to generate relative URLs.  Or, if that's not possible, you want it to generate absolute URLs with https://.

If your proxy doesn't have hardware SSL acceleration, you also might find that the system will scale better when passing SSL straight through to the web servers.  If you want to observe encrypted traffic for debugging, use ssldump.  Wireshark may also be able to analyze encrypted traffic, but I haven't used it before.

http://ssldump.sourceforge.net/
https://wiki.wireshark.org/SSL
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



--

Mark Haney ::: Senior Systems Engineer

VIF International Education
P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office

Global learning for all.
www.vifprogram.com
Find VIF on Facebook | Twitter | LinkedIn

Recognized as a ‘Best for the World’ B Corp!

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux