search

Ombi-app / Ombi

Want a Movie or TV Show on Plex/Emby/Jellyfin? Use Ombi!
http://ombi.io
GNU General Public License v2.0
3.72k stars 395 forks source link

Mixed Content at login #4536

Open SugarDroid opened 2 years ago

SugarDroid commented 2 years ago

Describe the bug Chromium-based browsers throw a mixed content error when visiting ombi's login page through HTTPS. Firefox works differently thus CSP block every background image before Firefox could upgrade it to use the HTTPS protocol.

To Reproduce Steps to reproduce the behavior:

  1. ombi > proxy
  2. visit your ombi through a secure connection
  3. open your browser's dev tools
  4. watch the errors popping up

Expected behavior Background images are fetched through HTTPS.

Screenshots

mixed content

Logs (Logs directory where Ombi is located) N/A

Desktop (please complete the following information):

Ombi Version (please complete the following information):

Additional context N/A

github-actions[bot] commented 2 years ago

Hi!
Thanks for the issue report. Before a real human comes by, please make sure you used our bug report format.
Have you looked at the wiki yet? https://docs.ombi.app/
Before posting make sure you also read our FAQ.
Make the title describe your issue. Having 'not working' or 'I get this bug' for 100 issues, isn't really helpful.
If we need more information or there is some progress we tag the issue or update the tag and keep you updated.
Thanks!
Ombi Bot.

twanariens commented 2 years ago

What proxy are you using and what is the configuration?

We normally advise to use a reverse proxy which should automatically convert all http requests to https (I am running Ngynx with Ombi and have not encountered this issue)

The above is not true. I also encounter this issue after further investigation. @tidusjar Seems like we need to update the http requests for the fanart to https

sephrat commented 2 years ago

The root issue is that fanart.tv API returns http URLs instead of HTTPS. I've reach out to their Discord to ask why they don't return HTTPS URLs by default. If they don't want to move to HTTPS, we should probably do it ourselves.

bernarden commented 2 years ago

Looks like all returned fanart URLs now use HTTPS. I think the issue can be closed.

DerHary commented 1 year ago

Looks like all returned fanart URLs now use HTTPS. I think the issue can be closed.

Seems not, have this Issue too. BUT only with Apache Reverse Proxy.

My Apache Proxy Config: <Location /request> Allow from 0.0.0.0 ProxyPass "http://HOST:3579/request" connectiontimeout=5 timeout=30 keepalive=on ProxyPassReverse "http://HOST:3579/request" RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /request/(.*) ws://HOST:3579/request/$1 [P,L]

Spinny319 commented 1 year ago

Can confirm same issue on Nginx, just recently though. Was working a few weeks ago. Chrome will auto redirect http links to https, but Apple devices (safari) just error out. It will eventually push through the error after a few tries.

Ombi v4.22.5

jgrubio commented 11 months ago

The same thing happens to me here. The wallpaper images in the login are being requested by http which produces a mixed-content-type