1

I have an iFrame in an HTTPS site. This iframe must point to an IP (not specific, there are hundreds of different ones) in HTTP. Currently, it doesn't work: "This request has been blocked; the content must be served over HTTPS" I imagine that one solution would be to use a reverse proxy but I can't find how.

The basic config would be:

HTTPS web server with iframe to HTTP (192.168.1.2)-> Reverse proxy with catch all HTTPS>HTTP (192.168.1.3) -> Device (IP like 192.168.0.x)

How can the proxy receive requests to device IPs since it does not own each of these IPs? How to redirect HTTPS to HTTP on the same IP?

Thanks!

Cu_Irl
  • 11
  • 2
  • I think most modern browsers would actually block an automatic redirect from https to http. Also, depending on the server configuration this might not even be possible. If you need a http content in a https site, the best solution is to create a http-link on which the user has to click in order to see the content. If your server does NOT enforce https for the whole website, the linked page can be on the same site. Otherwise, you'll have to redirect the user to the original page. – 1NN Feb 13 '21 at 09:27

1 Answers1

2

Navigating or redirecting to an HTTP URL in an iframe embedded in an HTTPS page is not permitted by modern browsers, as it's considered mixed content. Chrome for example may block the content with the following message:

Mixed Content: The page at 'your website' was loaded over HTTPS, but requested an insecure resource 'iframe http source '. This request has been blocked; the content must be served over HTTPS.

You will need to redirect the request through some online server, using HTTPS in the iframe to call your server, which will do the final HTTP call and return the results.

Converting the HTTP site to HTTPS will be the best solution, if possible.

For more information see the article What Is “Mixed Content,” and Why Is Chrome Blocking It?

Some browsers have settings for allowing "insecure content", so that such a mixed page can still work, but this is changing rapidly. You will need to research your browser version to find out if such an option exists.

Google posts the page Simple mixed content example! which tries to download a JavaScript script over HTTP, that can be used for testing.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • I could use nginx as reverse proxy but then, I'm wondering of I can configure it to make it answer for the backend devices and forward the requests to the same IP addresses (devices are internal/private). For instance: - PC 192.168.2.2 loads the iframe from nginx (192.168.1.2). - The iframe has to call the nginx reverse proxy (192.168.1.3) to query the device on 192.168.0.2 - The reverse proxy has to answer for the devices in 192.168.0.2 but at the same time must forward the queries to the same IP address. Is it possible within nginx config or do I have to make some redirect page? – Cu_Irl Feb 14 '21 at 13:45
  • An nginx reverse proxy can be the in-middle server, converting the call from HTTPS to HTTP. – harrymc Feb 14 '21 at 14:40