Geek Answers Handbook

Calling an insecure endpoint from a site works under HTTPS - nginx

My application runs under HTTPS with a valid certificate from one of the known credentials. Unfortunately, I am using a third-party API that does not support HTTPS.

The result is a known message. Mixed content: mydomain.com requested an unsafe XMLHttpRequest endpoint.

Is it possible to add an exception to the web server in order to resolve this API call uncertainly !! I am using Nginx BTW.

If not, what other options might be available to solve this problem.

I have a solution, but I do not like it, because it will be a lack of performance:

Implement an API that acts as a proxy server, receive requests from the application via HTTPS, and request from a third-party HTTP API.

+6
source share
2 answers

I also had this problem. Everything on the page should appear and request https if you use https and do not want warnings / errors. You do not need to implement api for proxies if you use nginx. No matter what you implement, performance will be achieved, you guessed it right. Just use proxy pass in nginx. In our configuration, we have:

location /thirdparty/ { proxy pass http://thirdpartyserver/; }

Note the trailing slash in the proxy pass, I save all third-party api that are in https: // myserver / thirdparty / requesturl . When scrolling a slash, deletes the third party during the request. So it becomes http: // thirdpartyserver / request

Official link: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass

+3
source

To allow mixed content, individual users must enable it in their browsers. Allowing HTTP content from a single source is enough to jeopardize HTTPS security, so browsers prohibit mixed content by default. The solutions that I see are as follows:

  • Getting rid of HTTPS (which I would not recommend)
  • Performing suggested queries and proxies (this is still not very secure)
  • Get rid of HTTP content

Google has some recommendations for developers in step 1 (but they are mostly repeated above): https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content#step-1

0
source

More articles:


All Articles