Call APIs over Http from Webpage served over Https - apache

We have a Java/Jetty server. The servlets on this server are called by some of our internal applications over http.
I have been asked to create a webapp /website which will use many of these servlets / api.
However this is an external customer facing website and needs to be served over https / ssl. The servelet urls look like
http://internalServer:9999?parameters.
Now my webapp is ready and has been deployed on Apache on Debian. Everything works fine but as soon as I enable
https/ssl the backend calls do not go through. On chrome I get "Mixed content. Page was loaded on https but is requestig resource over http...". On Safari I get -could not load resource due to access control checks.
I understand the reasons for these errors but I would like to know ways to solve this.
I have full control over apache server and website code.
I have very limited control over internal jetty server and no control over servelt code.(don't want to mess with existing apps).
Is there something I can do just with apache configuration? can I use it as a reverse proxy for the Jetty(http) server?
Thanks for your help.

"Mixed content. Page was loaded on https but is requestig resource over http..."
That error message means your HTML has resources that are being requested over http://... specifically.
You'll need to fix your HTML (and any references in javascript and css) that request resources (or references resources) to also use https://....

If you try to call an http service from an https site you will have Mixed content error.
You can avoid that error using apache2 proxy settings inside your example.org.conf
You can find it inside the folder /apache2/sites-enabled
Add some code:
<VirtualHost *:443>
...
ProxyPass /service1 http://internalServer:9999
ProxyPassReverse /service1 http://internalServer:9999
</VirtuaHost>
From your https site you have to fetch the url
https://example.org/service1`
to reach the service.
In that way you can call your services http from a https site.

Related

Steps to redirect Application URL to Custom URL

i have IHS 7 installed on an AIX system and its pointing to Application Server . now my requirement is if Application is not accessible or if we are working on the Application it self then whoever access the URL, it redirects to a custom page on the webserver that Application is under construction .
for example url is https://my.Application.com:8089/application if anyone hits this URL then this URL is redirected to custom URL on same webserver https://my.webserver
i have configured a proxy on IHS httpd.conf but it is not working
The good practice in such case is to create two config files and one maintenance page. When your app server do not work you should restart http server with config file which point to the maintenance page.

Iframe doesn't work in website wile hotlinking is deactivated on remote server

I have an unusual problem when I used an iframe on a site i'm building. The hotlink protection is off on both servers. The iframe still doesn't work. both are ssl sites. What is strange is I can add a subdomain to the website where the webpage for the iframe, and redirect to the other server, and the site shows up in the iframe after that, but directly it doesn't. Is there by chance a setting on the webserver that doesn't allow external iframes? Is it better to just leave this alone and do a subdomain hop (I'm wondering if the web host guys at hostgator did that on purpose for security, and I should just do the hop method i stumbled upon). both servers are running nginx, webserver is using nginx+apache
Using iframes on external sites can be prevented with HTTP Header like X-Frame-Options
Documentation can be found from here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
This header can be set by either the web server or the software that is running on the web server.
well, I got it working. in the .htaccess (after I turned back on hotlinking)
I wrote after the RewriteEngine on line:
AllowOverride All
Header set X-Frame-Options "ALLOW-FROM https://www.theothersite.com/"
and it works! of course I added the http and https urls too on the exception list. now I can Iframe and use document-forms POST method

How to ensure my website loads all resources via https?

URL in question: https://newyorkliquorgiftshop.com/admin/
When you open the above page, you can see in the console that there are lots of error messages saying "...was loaded over HTTPS, but requested an insecure stylesheet.."
This website was working well until all of a sudden this problem shows up. I am not very familiar with https, but I have contacted with Godaddy and the SSL certificate is valid, and there is no obvious problem with "https://newyorkliquorgiftshop.com". And I am stuck here, I've some experiences with HTTPS website before, if the URL of website's homepage is "https", then every resources it loads is via "https" too. I don't know why my website behave differently and I don't know where to start to solve the problem? Any hint is appreciated especially articles about HTTPS that is related to my problem.(I have done a brief research regarding HTTPS but most of the articles I found are about the basic concepts.)
If you have access to the code (not sure what you built the website using), try using https instead of http for the URL's you use to load your style sheets and script files.
For example one of the errors is
Mixed Content: The page at 'https://newyorkliquorgiftshop.com/admin/' was loaded over HTTPS, but requested an insecure script 'http://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js'. This request has been blocked; the content must be served over HTTPS.
You are requesting the .js file using HTTP, try using HTTPS like so:
https://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js

How to solve HTTPS response 498 when googlebot comes along?

I have an AJAX site leuker.nl and when googlebot comes along the site is started and it will retrieve an XML file from my backend server that contains site text.
The HTTP GET request used to retrieve the file returns a HTTP error 498.
Looking on LINK it explains that is concerns an invalid/expired token (esri) returned by "ArcGIS for Server".
I don't understand this error, I don't even use ArcGIS and never heard of it before.
Andy idea how to solve this?
In the backend I use Apache Httpd 2.4 in combination with Tomcat 8.0. Apache proxy requests to Tomcat through an ajp connector. The XML file requested is directly returned by Apache.

CDN for your entire site - when the origin server equals the supername

I am using a static site generator for my site, that means my entire site is static. All my resources and HTML files are referenced with the domain name prefixed, so that the CDN could be used.
But due to SEO concerns I disabled non-www access and redirect those to the www.domain.com variant. But now I cannot use a CDN apparently, because the origin server needs to be different from the supername.
Can a CDN be used for HTML files?
How can I deliver content through www.domain.com and use a CDN?
Can I give the CDN access to static.domain.com an an origin server, but deny access to other clients? Seems clumsy!
Any ideas?
Using Apache2.2 trying to use Level 3 CDN through my hosting company's site
depending what you are able to set on the CDN via your hosting company, the best way would be to override the host header on the CDN settings.
So, first let's look at your DNS settings:
www should point to the CDN
origin should point to your web server.
Now, on the CDN you set your origin to origin.yourdomain.com and add (I can't tell you if this is possible in your setup) a "http host header override" to www.yourdomain.com. In some cases it's implemented the other way around, so you would "force IP-Host" to origin.yourdomain.com.
In both cases, what you want to achieve is this:
when an end user requests www.yourdomain.com , it is resolved to the CDN
The CDN needs to fetch the content from your server, so it establishes a session on port 80 (assuming HTTP) to origin.yourdomain.com
Once the port is open, the CDN sends (amongst others) a HTTP Host-Header with www.yourdomain.com (this is the name based virtual host APache is seeing and evaluating).
That way you can set up your web server in exactly the same way as you would without a CDN.