问题
To make my story short, here is shown error message(in chromium console):
Mixed Content: The page at 'https://example.com/#/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/login'. This request has been blocked; the content must be served over HTTPS.
And you see this message if you click the security icon(in chromium address bar):
To investigate this further I notice, on page load event, we do have a request to /api/account secure end-point and since first-time visitors are not usually authenticated, then this request will get redirected to /login path (in somewhere?). but over HTTP and not HTTPS, which will be desire behaviour in my case.
I'm suspicious that this is because I do use my JHipster application behind a reverse proxy and my reverse proxy is responsible for serving requests over HTTPS. In another words my JHipster application doesn't know that we are using HTTPS.
I also did try to debug my client-side code to see if I could override this behaviour but I notice this redirect is not triggered from neither auth-expired.interceptor.ts or errorhandler.interceptor.ts.
So more likely this redirect is happening form my server-side code and maybe could be override by changing an spring security config?
Thank you JHipsters! :-)
回答1:
Set server.use-forward-headers: true in your application.yml. Make sure your proxy server is also configured to add X-Forwarded-For and X-Forwarded-Proto headers. For Nginx, you can add proxy_set_header X-Forwarded-Proto $scheme; in the location section. This will fix your 302 redirects which are built from the proxy headers.
This is described in the Spring Boot docs for running behind a proxy server, also there was a related Github issue.
来源:https://stackoverflow.com/questions/49852946/jhipster-nginx-https-this-page-is-trying-to-load-scripts-from-unauthenticated-so