Re: HAProxy w/SSL termination mixed content issue.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/12/2016 07:40 AM, Mark Haney wrote:
While I can do SSL passthrough, I'm still stumped as to why this is a problem. The media listed does have 'http://' items listed, but what doesn't make sense is that the server I'm pulling from doesn't have that problem when it's pure HTTPS. I would think absolute URLs /on the web server/ would have shown up while it has SSL on the server itself. That's what makes no sense to me.
When SSL is terminated in the server, Joomla can determine that the client wants https URLs, by checking properties of the connection. If you terminate SSL at the proxy, which then uses http: to the web server, your web apps determine that the client is using http: when they check the properties. And when they see a client on http:, they'll generate URLs that match. Some of the time you can influence that, but it depends on your app supporting an external SSL proxy and providing such settings.
However, I do appreciate the headsup for SSLdump. I'd forgotten that tool existed, which makes it a bit easier to move back to SSL Passthrough. However, the OCD in me just can't let this lie without an answer. Based on what I understand of the SSL termination config, haproxy is supposed to encrypt everything it gets from the HTTP web server so that the client sees nothing but HTTPS packets. For some reason, it's not doing that and that bugs me.
The one thing your proxy isn't doing is modifying the content of the web pages. If the server includes an http:// URL, it'll be passed to the client, which generates a warning. At that point, the client has only seen HTTPS packets, so your proxy is doing exactly what you expect. It's the web application that isn't, because you've obscured the fact that the client is requesting https:// URLs. 

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux