Error loading some JavaScript due to insecure HTTP script URL

manning-ncsa · April 3, 2023, 3:24pm

Problem

My new Indico deployment appears to be working properly overall except for some JavaScript loading errors I see on the event viewer page https://indico.example.com/event/1/ like this:

MathJax.js:833 Mixed Content: The page at ‘https://indico.example.com/event/1/’ was loaded over HTTPS, but requested an insecure script ‘http://indico.example.com/dist/js/mathjax/jax/input/TeX/config.js?V=2.7.9’. This request has been blocked; the content must be served over HTTPS.

The event viewer is still functional and the page loads fine otherwise. I only noticed this because Indico popped up some warnings in the bottom of the screen about it and then I checked the browser error console.

Configuration

My Indico server is running behind an NGINX reverse proxy following the pattern in the GitHub - indico/indico-containers: Containerization of Indico repo. Both the Indico server and this NGINX container (plus a Celery container) run in a Kubernetes Pod. Ingress routing and TLS certificates are handled by Traefik.

My NGINX reverse proxy config is copied below, and here are my Service and Ingress configs.

server {
  listen 8080;
  listen [::]:8080;
  server_name indico.example.com

  access_log /var/log/nginx/access.log combined;
  access_log /dev/stdout combined;
  error_log  /var/log/nginx/error.log info;
  error_log  stderr info;

  root       /var/empty;

  sendfile on;

  # Serve static files
  location ~ ^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\.([^.]+)$ {
    alias /opt/indico/static/$1$2/$3.$5;
  }

  location ~ ^/(css|dist|images|fonts)/(.*)$ {
    alias /opt/indico/static/$1/$2;
  }

  location / {
    proxy_pass http://indico-web:59999;
    proxy_set_header Host $server_name;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 1G;
  }

}

My indico.conf is copied below:

BASE_URL = "http://indico.example.com"
USE_PROXY = True
DEBUG = False
SECRET_KEY = "*************"
SQLALCHEMY_DATABASE_URI = "postgresql://************"
REDIS_CACHE_URL = "redis://indico-redis-master:6379/0"
SMTP_SERVER = ("************", 25)
SUPPORT_EMAIL = "**********"
PUBLIC_SUPPORT_EMAIL = "**********"
NO_REPLY_EMAIL = "*************"
DEFAULT_TIMEZONE = "America/Chicago"
DEFAULT_LOCALE = "en_US"
CELERY_BROKER = "redis://indico-redis-master:6379/1"
STORAGE_BACKENDS = "{'default': 'fs:/opt/indico/archive'}"
ATTACHMENT_STORAGE = "default"
ENABLE_ROOMBOOKING = False
PLUGINS = {'previewer_code', 'vc_zoom', 'payment_manual'}
# Authentication
LOCAL_IDENTITIES = True
LOCAL_REGISTRATION = False
EXTERNAL_REGISTRATION_URL = '***************'
AUTH_PROVIDERS = {...}
IDENTITY_PROVIDERS = {...}

When I try to change the BASE_URL to use https instead of http I receive Indico errors that I am using an invalid URL, even though the https://indico.example.com URL in the browser matches the URL that Indico says is the valid URL in the error message.

Any help would be appreciated.

ThiefMaster · April 3, 2023, 3:27pm

You need to fix BASE_URL to use https. If this causes errors it seems like indico thinks it’s accessed via HTTP instead - try replacing $scheme with a hardcoded https, especially if you are nesting proxies/loadbalancers in front of it.

manning-ncsa · April 3, 2023, 3:34pm

It works now, thanks! That was literally the only permutation I had not tried

ThiefMaster · April 3, 2023, 3:36pm

Note that with nested LBs you need to make sure that only the first one which sees the real user’s IP adds X-Forwarded-For - we currently do not support taking the n-th trusted IP from XFF so none of the inner LBs may add to that header.

Otherwise Indico won’t see the real IP of the user which is a problem e.g. with the login rate limiter.