I know that if I use https://mydomain.com and request a resource at http://myinsecuredomain.com or http://mydomain.com/insecuredomain, the request will get blocked by the browser.
My app works fine in http, but not in https. In my HTML code I use code like
<img src="/static/absoluteimage.png"></img>
or
<script src="/static/thisimportantscript.js"></script>
However I get errors like
I tried manually typing in a URL of one of my static files like https://app.ml/static/global.css, I discovered that it redirects to http://somehashhere.glitch.me/static/global.css
which has an http protocol.
Oh and by the way, I thought this was an issue because I was using the fly.io dashboard to configure things but when I finally figured out how to unlink my domain on the fly.io side and switch it to the glitch.com custom domain feature I got the same error.
Using the fly.io dashboard error(you can’t replicate it because fly.io removed the cdn feature and I can use it only because I created a project at that time):
Mixed content....the page at app.ml/app was loaded over HTTPS, but requested an insecure {whatever file} http://myglitchprojectname.glitch.me/static/thatfilename
This actually might be a security issue
Now using the glitch.com custom domains I get:
Mixed content....the page at app.ml/app was loaded over HTTPS, but requested an insecure {whatever file} http://somehash.glitch.me/static/thatfilename
Hey @javaarchive,
That error usually occurs when the host website is loaded over HTTPS and a resource is pulled over HTTP. Like change the redirects and the resource you’re pulling to HTTPS, for example, make http://somehashhere.glitch.me/static/global.css load as HTTPS https://somehashhere.glitch.me/static/global.css.
The problem is that I never wanted it to redirect to somehashhere.glitch.me, I wanted it to keep the subdomain and protocol. I don’t have control over the redirect so I’m trying to see if the glitch team can help? It might be on fly.io because using the non-glitch custom domains from fly this also happens.
Try adding this code to the project you’re trying to redirect to:
function checkHttps(req, res, next){
// protocol check, if http, redirect to https
if(req.get('X-Forwarded-Proto').indexOf("https")!=-1){
console.log("https, yo")
return next()
} else {
console.log("just http")
res.redirect('https://' + req.hostname + req.url);
}
}
app.all('*', checkHttps)
app.use(express.static('public
That’ll redirect from HTTP to HTTPS.
So both methods didn’t really work, and I figured out why.
This is how my site is setup through fly.io
A: app.ml(custom domain)
B: Fly.io(does the logic and passes things onto the origin)
C: hashedthing.glitch.me
D: My original project
A ------------------> B -----------------> C -----------------> D
So upon trying khalby786’s solution this is what happended
A ------------------> B -----------------> C -----------------> D
Secure/Insecure Insecure Insecure
Then my server says, C is trying to access http://somehashhere.glitch.me/app, but isn’t using a secure connection. So it sends a redirect to C. But C just passes the request to B which passes the request back to A, which ends up redirecting itself to https://somehashhere.glitch.me/app.
RiversideRocks solution was nice for automatically switching people to https, but the redirect issue was still happening, most likely something on my server is issuing the redirect or maybe fly is doing it.
Update: I searched my entire project for redirects and found none with static files so most likely it’s a fly.io or glitch domains issue.
1 Like
I agree with this, it looks like an issue with the custom domain.
The long hash name would be the Glitch project’s “internal name”, so that the custom domain would still work if the project got renamed.
The browser is doing the right thing, sending a request for https://yourdomain/static/global.css but the response is a 308 Permanent Redirect to http://longhash.glitch.me/static/global.css/ (and there is also a header fly-request-id: differentlonghash )
Which looks like the fly.io custom domain is still active?
There are also cloudflare headers … would cloudflare be passing the request to fly.io ?
Edit – comparing to a project that has a custom domain but never did use fly.io, it still has a fly-request-id header, so I guess Glitch are using them internally. But also don’t get a permanent redirect.
Edit again – maybe the 308 permanent redirect will be removed from all the DNS lookups after 48 hours? if not, I’d say its an issue with fly and removing the custom domain.
1 Like