To make my story short, here is shown error message(in chromium console):
Mixed Content: The page at 'https://example.com/#/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/login'. This request has been blocked; the content must be served over HTTPS.
And you see this message if you click the security icon(in chromium address bar):
To investigate this further I notice, on page load event, we do have a request to /api/account
secure end-point and since first-time visitors are not usually authenticated, then this request will get redirected to /login
path (in somewhere?). but over HTTP and not HTTPS, which will be desire behaviour in my case.
I'm suspicious that this is because I do use my JHipster application behind a reverse proxy and my reverse proxy is responsible for serving requests over HTTPS. In another words my JHipster application doesn't know that we are using HTTPS.
I also did try to debug my client-side code to see if I could override this behaviour but I notice this redirect is not triggered from neither auth-expired.interceptor.ts
or errorhandler.interceptor.ts
.
So more likely this redirect is happening form my server-side code and maybe could be override by changing an spring security config?
Thank you JHipsters! :-)
Set
server.use-forward-headers: true
in yourapplication.yml
. Make sure your proxy server is also configured to addX-Forwarded-For
andX-Forwarded-Proto
headers. For Nginx, you can addproxy_set_header X-Forwarded-Proto $scheme;
in thelocation
section. This will fix your 302 redirects which are built from the proxy headers.This is described in the Spring Boot docs for running behind a proxy server, also there was a related Github issue.