Forum Discussion

osnetworks_6668's avatar
osnetworks_6668
Icon for Nimbostratus rankNimbostratus
Mar 31, 2014

How to overcome "Only secure content is displayed"?

Hi, I am load balancing to a web server which uses backdrop mapping. I have created an Virtual Server listening on HTTP which applies the "_sys_https_redirect" iRule to redirect from HTTP to HTTPS which contains the following:

when HTTP_REQUEST {
   HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}

I have then created a second Virtual Server listening on HTTPS that presents the SSL certificate and then simply load balances to the pool members (passing traffic to them on TCP port 80).

The problem that I am getting is that some pages contain backdrop mapping from openstreetmap.org (URL is similar to http://a.tile.openstreetmap.org/b/c/d/png where a b c and d can vary). Firefox and Chrome do not display this embedded backdrop mapping but Internet Explorer does at least show a message saying "Only secure content is displayed". If I then click on the "Show all content" button, the mapping does appear.

I have searched the forums and have tried creating a custom http profile with edited "Request header insert" to insert the X-Forwarded-Proto but must be doing it wrong as i get an error "01070373:3: Invalid Header Insert 'X-Forwarded-Proto' for profile /Common/http_osnet. name:value must be ":" separated"

I am fairly new to LTM so any help greatly appreciated.

  • So you need the HTML to not have that http link, and instead have https link, right?

     

    Who creates the original HTML content? and can this be fixed there? or are you saying you could fix by adding some header to the http requests? If so, can you explain exactly what you are typing into the http profile, which gets rejected bu the GUI...

     

    If you cannot get the HTML fixed at the source, then you would have to intercept the entire http response and fix it using an iRule and a stream profile.

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    osnetworks,

     

    You could try a Stream Profile on the virtual server - this could parse the response and convert any references to http:// to https://, as an example.

     

    Hope this helps,

     

    N

     

  • @mohamed Yes, just need to make all http references https ones. I have checked and the openstreetmap.org URLs work perfectly well as https.

     

    @nathan, I have been reading about the streamed profile here: https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html but as this is unfamiliar, I am not certain exactly what I need to do to implement it. UPDATE: I just created a custom stream profile and applied it to the https virtual server, replacing http:// with https:// as you suggested and that seems to work!.

     

    I'll do more thorough testing tomorrow. Thanks

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Sounds promising. Hope the testing continues to go well. Let us know if you get any issues. N
  • Initial testing was misleading. Unfortunately every page i clicked on afterwards said that my session had expired. We're going to try and rewrite the offending javascript to reference https instead of http instead. Many thanks for your input.