Mixed content warning while embedding
-
I embedded Kimai into Nextcloud (
https://foo.bar) using the external sites addon. My embedded link looks like:https://time.foo.bar/
I also added CSP headers for Kimai to Kimai's security tab within Cloudron: frame-ancestors foo.bar;If I open the site through Nextcloud, I get a mixed content warning and no content at all.
Mixed Content: The page at 'https://foo.bar/apps/external/8' was loaded over HTTPS, but requested an insecure frame 'http://time.foo.bar/de/login'. This request has been blocked; the content must be served over HTTPS.The reason of this is because the client is redirected to the login form without https and therefore blocked because of mixed content. It is well documented at the Kimai documentation why this happens and what to do.
In our case we can add our (Cloudron) docker proxy as trused proxy:
TRUSTED_PROXIES=172.18.0.1to Kimai's .env file. I can edit the .env file during runtime but I can't edit the env.template so my changes do not persist app restarts or updates.@nebulon / @girish can you please add the Cloudron proxy IP to Kimai's env.template? We have done something similar for Jirafeau, see Commit 0f5966a7
