0

We have a unified portal which links multiple services through a jQuery tab based interface making use of iframes to display content from different services. Our portal runs on a secure server with HTTPS/SSL. While most of our external services are HTTPS, two of them aren't. Obviously we are aware of the issues with mixed content and we didn't like the idea of having non-https sites within the portal, but we didn't have a choice. Everything was ok until a few days ago when Google updated chrome to version 30, which now silently blocks mixed content.This has created a great number of problems for us. We contacted the external services and asked them if they could upgrade their services to HTTPS and one of them has come back saying they have no plans to do so for the next 2 years.

Obviously this is a problem. We tried getting around the problem by getting this service to open into a new browser window, but this is a rather inelegant workaround which I would like to get rid of, if at all possible. Is there any way that I can use AJAX or PHP to prefetch the page in question and then display it within the portal iframe without Chrome blocking it?

I would be very grateful for any advice at all. I do understand how bad an idea it is to mix secure content with non secure content, but I have no choice in the matter as my manager is adamant that the service have to be a part of the portal.

Thanks in advance.

Regards

Alex

Alex
  • 3
  • 3
  • The problem only happens with JS over http, I think. If it's possible to strip what you're embedding down to just html/css/images, Chrome still seems to display them ok. – Codemonkey Oct 17 '13 at 13:56
  • [Using PHP to fetch content using curl is pretty straightforward](http://stackoverflow.com/questions/2440252/php-curl-i-need-a-simple-post-request-and-retrival-of-page-example). – Blazemonger Oct 17 '13 at 13:57
  • @Blazemonger Using Apache's mod_proxy is a lot more straight forward, can be as simple as a single line in an .htaccess file. :) It also has a lot less overhead than doing the same thing in PHP. – deceze Oct 17 '13 at 13:59
  • I take my previous comment back. Iframes are the problem, even if you're just requesting a plain text page with no html/javscript on it. – Codemonkey Oct 17 '13 at 14:01
  • I agree ... the problem isn't fetching a non HTTPS page, its trying to display it within an iframe embedded within a HTTPS page. – Alex Oct 17 '13 at 14:16

1 Answers1

1

A somewhat simple solution would be to use a reverse proxy. You can configure Apache quite easily to take an HTTPS connection, fetch the requested content from another URL and return it. See mod_proxy. The problem is that the browser will necessarily see a different URL/domain on its part (your reverse proxy), which may or may not cause problems with cookies or hardcoded links.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • Could you provide an example of how to set this up in nginx? I have a similar problem and would be very interested to give this solution a try, but have never proxied a thing in my life. – Codemonkey Oct 17 '13 at 13:55
  • Nope, I don't know nginx very well, all I could do would be to read the manual for you. Which you can do yourself. ;) – deceze Oct 17 '13 at 13:56
  • @deceze Reverse proxy works to an extent - however it does seem to mess up the styling quite a bit. – Alex Oct 17 '13 at 14:49
  • @Alex Yeah, as I said, the devil is probably in the details here. If it's just about a few hardcoded links, you may be able to process the result on your proxy to substitute those links to also be proxied. IIRC mod_proxy may actually be able to do this to some extend. – deceze Oct 17 '13 at 14:58
  • @deceze Cheers mate. I noticed that the proxied page is trying to link to stylesheets and js scripts using a relative path. So I just downloaded the scripts to my local server and tried again .. and while I have had some level of success, it's still not working correctly. :/ But this is the closest I have come to fixing the issue. So I am going to upvote and accept the answer. Cheers again mate. – Alex Oct 17 '13 at 15:32