search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.31k stars 1.05k forks source link

This request has been blocked; the content must be served over HTTPS. #6942

Closed bert2002 closed 4 years ago

bert2002 commented 4 years ago

Expected Behavior

I have setup graylog with a nginx in front of it which serves as TLS terminator.I expect the website to load over HTTPs.

Current Behavior

The website gets blocked from the browser (Chrome), because it tries to load content from http. I have HSTS enabled on the domain.

Possible Solution

Graylog should not hardcode http in its frontend.

Steps to Reproduce (for bugs)

  1. setup graylog
  2. setup nginx
  3. configure HSTS on the domain
  4. access the website

Context

Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/config.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/vendor.91c91d4a31d54d96392a.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/polyfill.af2f821c666e2573f8ad.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/builtins.af2f821c666e2573f8ad.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.302c7c8739d3b418c624.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.ecd9e6af5eb7fd3b735e.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/plugin/org.graylog.aws.AWSPlugin/plugin.org.graylog.aws.AWSPlugin.c4bb03a70f7fc40baabd.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure script 'http://domain.org/assets/app.af2f821c666e2573f8ad.js'. This request has been blocked; the content must be served over HTTPS.
domain.org/:1 Mixed Content: The page at 'https://domain.org/' was loaded over HTTPS, but requested an insecure favicon 'http://domain.org/assets/favicon.png'. This request has been blocked; the content must be served over HTTPS.

Your Environment

bert2002 commented 4 years ago

If you need any help or information, please let me know. This is quite blocking to deploy Graylog in a secure environment.

gang89 commented 4 years ago

In your nginx.conf file, is the X-Graylog-Server-URL set to https://yourdomain; ?

bert2002 commented 4 years ago

That was missing indeed. Thanks a lot @gang89. May be something to update the docs.