Insecure XMLHttpRequest endpoints used on secure site

[joe hobson]

I'm setting up a self-hosted Canvas installation, and having trouble getting everything to load over SSL. The site was initially setup with ssl:false because the load balancer setup wasn't complete, but now I have ssl:true in my domain.yml and am able to load pages over SSL. Certain features don't work though because the browser won't load mixed content and the scripts and/or forms are still referring to non-ssl URLs.

For example, trying to add a user:

Mixed Content: The page at 'https://<site>/accounts/1/users' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<site>/accounts/1/users'. This request has been blocked; the content must be served over HTTPS.

I've recompiled assets and dumped my nginx and browser caches, but I can't get it to load everything over SSL. Is it set in the db or redis cache somewhere?

Thanks for your help. ... .joe

[Graham Ballantyne]

Views do get cached in redis, so flushing it is a good step to try. Some browsers also aggressively cache URLs, so  you might want to try a private browsing window. 

You might want to also consider terminating SSL on your load balancer instead of serving SSL from the canvas app. It reduces some load on your app servers and makes it easier if you scale to multiple app servers (only one certificate to update instead of on each app server). 

-- 

Graham Ballantyne 

IT Services 

Simon Fraser University 

--

---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[joe hobson]

Thanks for weighing in Graham. We are behind a load balancer with SSL terminated at the LB, and have 2 app servers running right now, so I at least have the option of hitting one of them directly non-SSL for now. I always use private browsing windows for this sort of thing, and still hate that Chrome on the Mac opens each new icognito in the same memory space if you already have one open.

Flushing redis didn't solve it for me, still a problem

[Cody Cutrer]

Is your load balancer setting one of the following request headers? If not, Canvas doesn't realize that it is being accessed over HTTPS, so will generate HTTP absolute links.

X-Forwarded-Proto

X-Forwarded-Scheme

X-Forwarded-SSL

(see https://github.com/rack/rack/blob/master/lib/rack/request.rb#L186)

Cody Cutrer

Software Engineer

Instructure

To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-users+unsubscribe@googlegroups.com.