1

My configuration:

  • IIS site w/o certificate (looks like v6.2 with Window Server 2012R2)
  • SSL access via a F5 load balancer
  • Second site (mediawiki, latest stable) as an application in the subfolder of the same site

I am trying to include a second site as a iframe in a subfolder of a website that I have running on IIS. The sites are accessed behind a load balancer. The actual site uses http, as it doesn't have a certificate. The load balancer has a Digicert certificate, and I assume acts as a reverse proxy.

So, I can access each site through https. https://site.xxx, and https://site.xxx/mediawiki. All links seems to show https. For the subfolder, I looked at network traffic on the main page, and I don't see any URL that isn't https.

So, I stuck the second site as an iframe in the primary site, and the browser won't load it, complaining that it isn't secure. Looking at the console output of FF, it says

Blocked loading mixed active content "http://site.xxx/mediawiki"

In the iframe, I specified the secure FQDN of the subfolder. I also tried a relative path, but had exactly the same result.

<iframe src="https://site.xxx/mediawiki"></iframe>

In mediawiki, I have specifed 

$wgServer = "//site.com"";

I have also tried in the same setting the FQDN of the main site with https.

Any thoughts of why it is switched to http?

Edwin Rooks
  • 56
  • 7

1 Answers1

1

The solution to this is to put a final slash after the url, so it doesn't redirect (don't know the technical reasons for this, but I found that here)

<iframe src="https://site.xxx/mediawiki/"></iframe>

Also, for Media Wiki, some other changes that are good to make are to properly allow for iFrames

Mediawiki

$wgApiFrameOptions = 'SAMEORIGIN';
$wgEditPageFrameOptions = 'SAMEORIGIN';

MVC 5

I also used MVC 5 for the main page, and you want to allow iFrames, so stick this in Global.asax.cs.

    protected void Application_Start()
    {
      AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
     }

Also, because I authenticated the main site with my custom AD code, I had to make sure that it didn't force it on the sub page, which can't do that (its a separate PHP web site, and not Microsoft code).

  <location path="." inheritInChildApplications="false">
    <system.web>
        ...
    </system.web>
   </location>
Edwin Rooks
  • 56
  • 7
  • I had this issue with trying to include a Jekyll based site via iframe, also behind a load balancer and this solution (trailing forward slash) fixed it for me, thanks so much. – Harvey Dobson Nov 18 '20 at 12:07
  • In response to your question, the reason why you don't see any non-https traffic, is because the browser blocks the request straight away. This threw me too, my iframe remained as `https://url/dir` because the request to make it `http://url/dir/` had been rejected. Ironically if it wasn't rejected my load balancer would have forced it to https, as it sounds like yours would have too, but there we go.. – Harvey Dobson Nov 18 '20 at 12:23