Getting mixed content after migrating from F5.
After migrating to the LoadMaster, one of the customer's site is complaining about Mixed-Content.
|Steps to Reproduce:|
|Error Message:||Mixed Content: The page at 'https://<URL>' was loaded over HTTPS, but requested an insecure frame 'http://<URL>'. This request has been blocked; the content must be served over HTTPS.|
|Cause:||Servers are only listening on HTTP and the application needs to be ran over HTTPS with SSL termination on the LoadMaster.|
Customer created a body modification rule to match on /http:\/\// and replace with https:// and applied the delete Accept-Enconding rule but no luck.
- We inspected the page and saw the following message:
Mixed Content: The page at 'https://<URL>' was loaded over HTTPS, but requested an insecure frame 'http://<URL>'. This request has been blocked; the content must be served over HTTPS.
This seemed to be more of a header replacement rather than a body modification. Looking at the dev tools, we saw a 302 with the Location header: http://<URL>
- We created a Location header replacement by going to Rules & Checking > Content Rule > New > Rule Type - Replace Header with the following fields:
Header Field: Location
Match String: /http:\/\/(.*)/
Value of Header Field to be replaced: https://\1
This rule will grab anything on HTTP and replace it with HTTPS.
- Then, applied this rule to the VIP by going to Advanced Properties > Show Header Rules > Add as a Response Haeder and tested again and this worked as expexted.