This page contains both secure and nonsecure items

Question

Hey folks,&nbsp;
&nbsp;Strange situation. I wanted to validate my thoughts on this to make sure I'm not missing something.&nbsp;
&nbsp;Situation:&nbsp;
&nbsp;Client browser (IE, as it happens), is requesting a page from an application server over HTTPS. The delivered page then points to many other image/javascript resources, as you might expect. Some of these were previously being delivered from the web server in question, over HTTP (directly to an the IP address of the server).&nbsp;
&nbsp;Recently, this web server was expanded to 2 servers, and an F5 VIP put in front to load balance and improve performance/reliability. Configuration on that is almost entirely defaults for an HTTP VIP. The only change I can think of was to switch to the tcp-lan-optimized profile. All else is the same. Round Robin, no priority groups, etc etc. Everything appeared to be working fine, performance improved, mission accomplished.&nbsp;
&nbsp;However, shortly after that change, one of the QA folks mentioned that they started getting this IE popup indicating that the page contains both secure and nonsecure items (I'm sure you've seen this before). However, to my way of thinking, that was also true before, and the F5 shouldn't have introduced any change in whether that popup would appear or not.&nbsp;
&nbsp;Am I missing something? Is there *anything* the F5 could be doing that would suddenly cause this popup to appear where it wasn't before? I won't claim to understand all the possible header manipulations that are possible and how they might impact this, but my gut is telling me it has nothing to do with the F5.&nbsp;
&nbsp;They will be doing further testing today, but I thought I'd ping folks here and see if y'all had any guidance.&nbsp;
&nbsp;Thanks in advance,
&nbsp;- ZJ&nbsp;

santosh_81454 · Answer

Hi, yes you are correct, its not the F5 but the way IE works.  
&nbsp;  
&nbsp; As you have moved from a web server IP to a VIP IP, IE will no longer know that the source of the HTTP content is a different server. And as VIPS are protocol specific, IE browser sees that the request is coming from one server serving HTTP and HTTPS traffic. This may be reason for the issue.  
&nbsp;  
&nbsp; We faced similar issue earlier and after the app team fixed the code by changing the calls to HTTPS instead of HTTP, we no longer got the popup.  
&nbsp;  
&nbsp; - Santosh.  
&nbsp;  
&nbsp;  &nbsp;

hooleylist · Answer

As Santosh says, the simplest fix is to change the application and replace the http:// references with https:// or relative references without the protocol specified.  Else, if that's not an option, you could use a stream profile and STREAM::expression iRule to rewrite the http:// references to https:// in the response payloads: 
&nbsp;  
&nbsp; https://devcentral.f5.com/wiki/iRules.stream__expression.ashx 
&nbsp;  
&nbsp; Aaron

zhinjio_101470 · Answer

The traffic was always 2 separate servers. Server A dishes out the top level doc, and was always HTTPS, and then the subsequent image and script resource requests were going to Server B over HTTP. Server B is the one that is now behind a VIP. So yeah, I can't see how that behavior would have changed just for putting an F5 in there. It should *always* have had that same issue. 
&nbsp;  
&nbsp; Hopefully, today's testing will yield up some useful information. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; - ZJ

zhinjio_101470 · Answer

Interesting conclusion. Figured I would let you all know. 
&nbsp;  
&nbsp; The thing that caused the popup was a change in the application. They had started using a DNS name for the http URL (of the VIP) instead of the IP address of the VIP. For whatever reason, the browser(presumably) would then flag the page as having secure and non-secure items, but if only the IP address is used, it doesn't. 
&nbsp;  
&nbsp; Still seems hokey, but at least they have a fix. 
&nbsp;  
&nbsp; Cheers, 
&nbsp; - ZJ

Forum Discussion

This page contains both secure and nonsecure items

4 Replies

Recent Discussions

Advise on setting up IRULE

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Related Content

Using ChatGPT for security and introduction of AI security

Run Advanced Containers like OPSWAT Content Scrubbing Directly On F5 Distributed Cloud Nodes

ChatGPT and security - This Week in Security Feb 18th to Feb 25th, 2023

Avoiding Common iRules Security Pitfalls

My Security+ Certification Journey