Resolving Mixed Content Errors in Posit Connect behind F5 with SSL Termination

Avatar
Jay Clark
Follow

Overview

This article explains how to fix Mixed Content errors in Posit Connect when served behind an F5 load balancer with SSL terminated at the F5. The issue is resolved by injecting a custom header (X-RSC-Request) using an iRule, allowing Posit Connect to recognize the original client-facing URL and protocol.

Symptoms

You may see errors like the following in the browser developer tools console:

Mixed Content: The page at https://connect.proxy.company.com/connect/#/apps/abc123/access/42 was loaded over HTTPS, but requested an insecure frame http://connect.proxy.company.com/content/abc123/vKN0K6qgA/.
This request has been blocked; the content must be served over HTTPS.

Cause

When SSL is offloaded at the F5, Posit Connect may not know the original request came over HTTPS. As a result, it may generate http:// iframe or resource URLs, leading to mixed content issues.

This happens when:

  • The X-Forwarded-Proto header is not present or not trusted.

  • Posit Connect is unaware of the full original request context.

Resolution

Step 1: Add iRule to Inject the X-RSC-Request header

Create the following iRule to construct and inject the full original client URL:

when HTTP_REQUEST {
    # Assume HTTPS due to SSL termination
    set scheme "https"
    set host [HTTP::host]
    set uri [HTTP::uri]
    set full_url "${scheme}://${host}${uri}"

    # Insert the custom header
    if { not ([HTTP::header exists "X-RSC-Request"]) } {
        HTTP::header insert "X-RSC-Request" $full_url
    }
}

Step 2: Attach iRule to HTTP Profile

  1. Go to Local Traffic > Profiles > Services > HTTP

  2. Edit the HTTP profile associated with your Posit Connect virtual server

  3. Attach the iRule created above

Expected Result

With the header in place, Posit Connect will:

  • Recognize that the original request was made over HTTPS

  • Generate iframe and asset URLs with https://

  • Eliminate browser-side mixed content errors

Additional Recommendations

  • Ensure that X-Forwarded-Proto: https is passed correctly (either via iRule or HTTP profile setting)

  • Disable the UI warning within Posit Connect at the top of pages, stating that Connect is being accessed over an insecure connection:
     
    ; /etc/rstudio-connect/rstudio-connect.gcfg
    [HTTP]
    NoWarning = true

    • Make sure Posit Connect's configuration file includes the https address:

    ; /etc/rstudio-connect/rstudio-connect.gcfg
    [Server]
    Address = https://connect.proxy.company.com/

Reference

For additional documentation, see:

Running with a proxy

Comments