Open tiagoams opened 4 years ago
@tiagoams insecure image tile calls are made for most public background maps. In your case, insecure tile calls are made for the cube variables which is due to your own web server configuration.
@forman at the moment I see the background maps as a separate issue as these are not affected by blocking port 80 on the server. True, this will be enough to make the browser have the Not secure
label but it is not as urgent for me as it allows me to deploy the server.
As an example that this is seen in other systems, on the dcs4cop-demo-viewer the same warnings are issued for images serve over ssl.
Loading mixed (insecure) display content "http://service.demo.dcs4cop.eu//xcube/api/latest/datasets/c_…in=272.15&vmax=297.15&cbar=inferno&time=2017-12-31T00:00:00Z" on a secure page
Of course this doesn't prove it can't be done, so is there an example when this problem has been solved and images are being served over https?
But if this is as you say not related to xcube, then can you say where the problem lies (apache configuration, firewall?). If I am able to understand what the configuration is supposed to do it will be easier to achieve.
It surprises me that in webapi/, the tornado.web.Application function is not passed ssl_options. In my tests with tornado framework I had to do this to serve over SSL.
Thanks
Just to elliminate a possible problem, I have checked that our VM's webserver is translating http to https, but the browser still received the satelite images from an http address
Apache's conf file has: RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
At the moment images are sent over http. Even if the viewer is being served over https, and time series are being plotted, the browser will show a mixed content warning regarding the images:
Loading mixed (insecure) display content "http://datacube.cefas.co.uk/datasets/demo/vars/c2rcc_flags/t…3/1.png?vmin=0&vmax=1&cbar=viridis&time=2017-01-30T10:46:34Z" on a secure page
For servers to have all the trafic SSL secured, standard practive in operational servers, it will be necessary to change this. For instance, Chrome will show
Not secure
on any page with mixed content.I would like to hear that this is not an xcube limitation, and can be changed in the server's web server configuration, but I don't think so as I see it in all the xcube servers I have looked at.