HAProxy w/SSL termination mixed content issue.

[Gordon Messmer]

On 02/12/2016 07:40 AM, Mark Haney wrote:
> While I can do SSL passthrough, I'm still stumped as to why this is a 
> problem.  The media listed does have 'http://' items listed, but what 
> doesn't make sense is that the server I'm pulling from doesn't have 
> that problem when it's pure HTTPS.  I would think absolute URLs /on 
> the web server/ would have shown up while it has SSL on the server 
> itself.  That's what makes no sense to me.

When SSL is terminated in the server, Joomla can determine that the 
client wants https URLs, by checking properties of the connection. If 
you terminate SSL at the proxy, which then uses http: to the web server, 
your web apps determine that the client is using http: when they check 
the properties.  And when they see a client on http:, they'll generate 
URLs that match.  Some of the time you can influence that, but it 
depends on your app supporting an external SSL proxy and providing such 
settings.

> However, I do appreciate the headsup for SSLdump.  I'd forgotten that 
> tool existed, which makes it a bit easier to move back to SSL 
> Passthrough. However, the OCD in me just can't let this lie without an 
> answer.  Based on what I understand of the SSL termination config, 
> haproxy is supposed to encrypt everything it gets from the HTTP web 
> server so that the client sees nothing but HTTPS packets.  For some 
> reason, it's not doing that and that bugs me.

The one thing your proxy isn't doing is modifying the content of the web 
pages.  If the server includes an http:// URL, it'll be passed to the 
client, which generates a warning.  At that point, the client has only 
seen HTTPS packets, so your proxy is doing exactly what you expect.  
It's the web application that isn't, because you've obscured the fact 
that the client is requesting https:// URLs.