Score:0

Redirect http calls inside iframe to https using nginx

ie flag

I have an https website that needs to render an iframe of a external website that only works with http. The external http endpoints is all inside a url like: http://external-website.com/foobar

Browser don't allowed this (mixed content error. http inside https...), so I configured my https website nginx to create a reverse proxy on url /foobar to solve this issue.

Now I call the url: https://my-website/foobar, and that's render the iframe correctly.

The problem is: some buttons inside the iframe application calls hardcored http, and inside my website when I click those buttons, it calls http://my-website/foobar (the reverse proxy I setup but with http instead of https) and this give me mixed content error and the buttons dont work

I need some way to force all requests that go through /foobar to use https.

This is my current nginx.conf

server {
    listen 80 default_server;
    if ($http_x_forwarded_proto = "http") {
        return 301 https://$host$request_uri;
    }
    location /foobar/ {
        proxy_pass http://external-website.com/foobar/;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
    }
}
Score:0
jp flag

To achieve this you must be able to modify the content of the pages, where the ngx_http_sub_module becomes handy.

The ngx_http_sub_module module is a filter that modifies a response by replacing one specified string by another.

This module is not built by default, it should be enabled with the --with-http_sub_module configuration parameter.

E.g., both Debian 12 & Ubuntu 22.04 has this module enabled on the packaged version of Nginx, and you could confirm that with nginx -V. (If not, you'd need to compile Nginx by yourself.)

After that it would be possible to replace the contents with, e.g.,

location /foobar/ {
    sub_filter 'http://example.net/' 'https://$host/foobar/';
    sub_filter_once off;
}
Alan Nicolas de Oliveira avatar
ie flag
Thank you for the help, especially the command nginx -v, I was able to confirm that nginx have http_sub_module, so I added this lines inside the location bracket: proxy_set_header Accept-Enconding ""; sub_filter_types *; sub_filter_once off; sub_filter 'http://' 'https://'; and that solve the problem
jp flag
That wouldn't load the external content through the proxy, though? Is it available in HTTPS on the original site?
Alan Nicolas de Oliveira avatar
ie flag
The external site only supports http. My reverse-proxy works with both http/https. I can load the iframe with the https url of my reverse-proxy, but the buttons inside the iframe calls my reverse-proxy with http url instead of https. With sub_filter now it the buttons inside the iframe call the url of my reverse-proxy with https
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.