0

I've got my application on facebook. Its working on https. Recently I've set up the apache reverse proxy. Proxy is doing redirect from https to http port 8080 of tomcat. The game is working if accessed directly. While if accessed from facebook there is an error:

Mixed Content: The page at 'https://apps.facebook.com/pennantrace/?fb_source=bookmark&ref=bookmarks&count=0&fb_bmpos=_0' was loaded over HTTPS, but requested an insecure form action 'http://thepennantrace.com/'. This request has been blocked; the content must be served over HTTPS.

UPDATE 1:

I've set spring social facebook's canvas controller's post login url to the "https://..." now it works but tomcat is redirecting the call to https://...com to the http://....com/resources/index.html

Seems like all redirects from tomcat are passed as they are (http) without changing the protocol to the https.

Cœur
  • 37,241
  • 25
  • 195
  • 267
maximus
  • 4,201
  • 15
  • 64
  • 117
  • what´s not clear about the message? don´t redirect to http, canvas apps only work with https. – andyrandy Aug 31 '16 at 10:15
  • 2
    You got other problems there as well, my Firebug shows: _“Load denied by X-Frame-Options: `https://thepennantrace.com/canvas/` does not permit framing.”_ – so you need to disable the X-Frame-Options header first of all, otherwise modern browser will simply refuse to display the content inside any kind of (i)frames on a different domain. – CBroe Aug 31 '16 at 10:26
  • @luschn the thing is that there is nothing in the code or settings that redirects to http : // thepennantrace.com. – maximus Aug 31 '16 at 10:39
  • @CBroe what do I need to put into settings in the apache reverse proxy setup to fix it? or is it a different thing to fix needed? – maximus Aug 31 '16 at 14:14
  • It is a thing that needs fixing, because otherwise browsers will be instructed to not display your page in the iframe on facebook.com. But a reverse proxy should not add that header on its own, it is more likely that your original application resp. Tomcat has added that header. – CBroe Aug 31 '16 at 14:18

1 Answers1

0

I fixed it by setting apache to use X-Forwarded-Proto And tomcat to respond on that correctly.

maximus
  • 4,201
  • 15
  • 64
  • 117