HAProxy w/SSL termination mixed content issue.

Mark Haney mark.haney at vifprogram.com
Fri Feb 12 15:40:12 UTC 2016 

The load balancer is just HAProxy on a Linux box (Ubuntu, but totally
irrelevant, I think).  While I can do SSL passthrough, I'm still stumped as
to why this is a problem.  The media listed does have 'http://' items
listed, but what doesn't make sense is that the server I'm pulling from
doesn't have that problem when it's pure HTTPS.  I would think absolute
URLs *on the web server* would have shown up while it has SSL on the server
itself.  That's what makes no sense to me.

However, I do appreciate the headsup for SSLdump.  I'd forgotten that tool
existed, which makes it a bit easier to move back to SSL Passthrough.
However, the OCD in me just can't let this lie without an answer.  Based on
what I understand of the SSL termination config, haproxy is supposed to
encrypt everything it gets from the HTTP web server so that the client sees
nothing but HTTPS packets.  For some reason, it's not doing that and that
bugs me.


On Fri, Feb 12, 2016 at 10:18 AM, Gordon Messmer <gordon.messmer at gmail.com>
wrote:

> On 02/12/2016 05:53 AM, Mark Haney wrote:
>
>> When I pull it through the load balancer (HTTPS) it doesn't with an error
>> about mixed content.
>>
> ...
>
>> Or can someone begin to tell me where to start debugging.
>>
>
> View the source of the page in FF, and look for the string "http://"
>
> Something in the site is generating absolute URLs; you want it to generate
> relative URLs.  Or, if that's not possible, you want it to generate
> absolute URLs with https://.
>
> If your proxy doesn't have hardware SSL acceleration, you also might find
> that the system will scale better when passing SSL straight through to the
> web servers.  If you want to observe encrypted traffic for debugging, use
> ssldump.  Wireshark may also be able to analyze encrypted traffic, but I
> haven't used it before.
>
> http://ssldump.sourceforge.net/
> https://wiki.wireshark.org/SSL
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>



-- 

Mark Haney ::: Senior Systems Engineer
*VIF* International Education
P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office

Global learning for all.
www.vifprogram.com
<http://www.vifprogram.com/?utm_source=signature&utm_medium=email&utm_campaign=VIF>
Find VIF on Facebook <http://facebook.com/VIFInternationalEducation> |
Twitter <https://twitter.com/vifglobaled> | LinkedIn
<http://www.linkedin.com/company/vif-international-education>

Recognized as a ‘Best for the World’
<http://bestfortheworld.bcorporation.net/> B Corp!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20160212/eac610af/attachment.html>

More information about the users mailing list