Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After login, the home screen shows insecure in chrome #31

Open
abdatta opened this issue Feb 12, 2020 · 7 comments
Open

After login, the home screen shows insecure in chrome #31

abdatta opened this issue Feb 12, 2020 · 7 comments

Comments

@abdatta
Copy link

abdatta commented Feb 12, 2020

image
The login screen shows the site is secure. But just when I log in and the home page appears, the site is shown to be insecure. Why is it so?
@adarshaj
Copy link
Member

Its not insecure, its "not fully secure". It shows that due to loading http resources on a https site. You can see that code uses http://home.iitk.ac.in/~username/dp to load pics (because the home.iitk server does not support https). If there was an alternative way to load pics over https then this error would vanish after replacing all such urls in the codebase

@abdatta
Copy link
Author

abdatta commented Feb 13, 2020

I think that should be easy. Just need to create a reverse proxy url for the insecure image links, isn't it?

@sakshamsharma
Copy link
Member

sakshamsharma commented Feb 13, 2020 via email

@adarshaj
Copy link
Member

Indeed. It should look very similar to

puppy-love/puppy.nginx.conf

Lines 18 to 26 in 7866cfe

location /Oa {
proxy_pass http://oa.cc.iitk.ac.in:80;
proxy_set_header Connection '';
add_header 'Access-Control-Allow-Origin' $host;
proxy_http_version 1.1;
chunked_transfer_encoding off;
proxy_connect_timeout 5m;
proxy_read_timeout 5m;
}

@adarshaj
Copy link
Member

Adding an extra point of failure is rarely a wise decision in the long run. It's best to keep the number of required services to a minimum. Anyway, it's not even an issue worth worrying about frankly. Systems don't need to be complicated Unless there's a clear benefit to be seen.

imo, when the website is all pomp about providing a 'secure' service, having the client report that its not 'fully secure' is worth solving. Also, its not as complex as you make it seem, its just 3 more lines to existing config, which already does something very very similar.

@abdatta
Copy link
Author

abdatta commented Feb 13, 2020

Yes @adarshaj , the very reason I created the issue for something so small is because this service tries to particularly emphasise on its security. So I think if it can be really fixed with something so simple, maybe we should. :)

@sakshamsharma
Copy link
Member

Hmm, fine if the nginx is already working then it is definitely cool to do that. I forgot I had added the oa reverse proxy already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adarshaj @sakshamsharma @abdatta