60
Views
5
Comments
[Silk UI Web] Does the RichWidgets Popup_Upload widget work with SSL Offloading?
Forge component by OutSystems R&D
106
Published on 09 Mar 2020
Application Type
Traditional Web

Hello community,

I hope someone can help.

Our production (or soon to be when we go live) environment uses SSL offloading.  Our development environments are in the cloud.

When we use the Popup_Upload widget from RichWidgets (version 11.10.2) in production, we get an error because it attempts to load a file via HTTP instead of HTTPS.  It works fine in our cloud environments.

This is the error we see is (I have replaced part of the URL with THEWEBSITE):

Mixed Content: The page at 'https://THEWEBSITE.com.au/ProductApp/Administration.aspx?Nav=Lists' was loaded over HTTPS, but requested an insecure frame 'http://THEWEBSITE.com.au/RichWidgets/Popup_Upload.aspx?_=16...'. This request has been blocked; the content must be served over HTTPS.

We believe have configured the reverse proxy and Outsystems parameter settings correctly as per the documentation: OutSystems configurations in reverse proxy scenarios - OutSystems 

Has anyone got the RichWidgets File Upload widget working with SSL offloading in a Traditional Web App?

I can see that some people have solved this by making their own version of the File Upload widget.

I just want to know if the File Upload widget will actually work if the system is configured correctly. I have asked Outsystems support for help, but looking for some experience of it working.

This will help me work out if continuing to diagnose the SSL offloading configuration is a dead end, and just replace all the upload widgets with something else.

Rank: #419

Hi Stuart,

just my 2 cents for discussion. 

I don't think that you have an issue with the SSL Offloading because the call is being done in HTTP and not HTTPS.

Also, you don't have any certificate errors trying to call an application webpage. 

Are you using Lifetime? If so, in the 'Infrastructure' - 'Environment Security', 'Force HTTPS for screens...' option enabled?

Could be something related to this.

Let me know the culprit of this mistery! 

Champion
Rank: #152

Hi Rui,

Thanks for your response. The problem is the upload control is putting a http link in the HTML, but as Outsystems supports SSL offloading it should not be doing that.  So SSL offloading appears to be working properly, but I would like to know if the Popup_Upload widget works with SSL offloading.

The force HTTPS option is off because we are using SSL offloading which removes HTTPS before it gets to the web server. If force HTTPS is on, it would cause an infinite loop where OutSystems received the HTTP request with SSL removed and redirects the browser to HTTPS, which gets removed again by the reverse proxy.

Rank: #464

Have you tried setting your RP to forward the traffic to your servers in HTTPS as well (and then force HTTPS on Lifetime)? SSL offloading will still be used to manage different certificates and most RPs/LBs can ignore certificate errors, for internal traffic, to the web servers (you can even use certificates with a smaller keysizes for that traffic), so you won't have to bother to update all of your web servers whenever a new certificate is installed on the RP. Have seen this quite often.

Champion
Rank: #152

Hi Arley,

No I haven't tried that.  I don't have control of the infrastructure, I am just working in an environment that is using SSL offloading.

In an interesting development, the upload control appears to be working now, and I am not aware of any changes.

I will update the thread if I find out what has changed to make it work.

Rank: #419

Maybe something was left unpublish and not fully refreshed. Once some publish was done, it started working correctly.