Description
This article describes issues that may occur if FortiWeb VS is using HTTPS only. All active mixed content delivered via HTTP on these pages will be blocked by default. Consequently, the website may appear broken to users (if iframes or plugins do not load, etc.).
Scope
FortiWeb.
Solution
In the following scenario, communication between FortiWeb and both client/backend servers is over HTTPS: Client (HTTPS) > FortiWeb VIP > (HTTPS) Real Server.
While the server page needs to load some components over HTTP:
Consequently, the content is blocked and a mixed block error appears:
To fix this issue, use one of the following methods:
- Content Security Policy: It is possible to use header security policy -> content security policy -> upgrade-insecure-requests. This will instruct the user-agent to modify all URLs with HTTP 'insecure' to send requests using HTTPS.
- Rewrite rule: Go to Application Delivery -> URL Rewriting and select the URL Rewriting Rule tab. This would replace any 'HTTP' with 'HTTPS' in the body of the backend server response.
After making these changes, all page content will load with no errors:
