Insecure content in the login form

_zg_r T_rker
Kilo Guru

We installed a new instanec on premise on our cloud environment. However when I try to login I get "This page is trying to load scripts from unathenticated sources" In detailed exploration I find  

"Mixed Content: The page at 'https://xxx.yyy.com/' was loaded over HTTPS, but requested an insecure form action 'http://xxx.yyy.com/login_redirect.do?sysparm_stack=no'. This request has been blocked; the content must be served over HTTPS."

We use load balancer for SSL ofloading 302 redirect  (http request s redirectted to https)

Is there something wrong in load balancer configuration or should I try it to solve in the instance properties?

Thanks in Advance,

í–zgür

1 ACCEPTED SOLUTION

The problem lies Load balancer's 302 redirect rule. The rule below should be added to load balancer:



when HTTP_RESPONSE {


if { [HTTP::is_redirect] } {


if { [string tolower [URI::host [HTTP::header Location]]] conta


ins "<yourdomain.com>" and [URI::protocol [HTTP::header Location]] equals "http"


} {


HTTP::header replace Location [string replace [HTTP::he


ader Location] 0 3 https]


}


}


}


View solution in original post

3 REPLIES 3

Dave Smith1
ServiceNow Employee
ServiceNow Employee

It looks like not all URLs are https:// enabled - so the browser is giving a warning that plain-text content is being requested for an encrypted session.



Flag it up to the team that did the on-premise installation - they should be able to fix the issue.


I did the on premise installation, so that I should fix it. However I only do the steps described in "ServiceNow KB Deployment Guide (KB0563731).pdf" document. It looks like an load balancer issue, it exists after load balancer   302 redirect configuration, but I should prove it.



Regards,


í–zgür


The problem lies Load balancer's 302 redirect rule. The rule below should be added to load balancer:



when HTTP_RESPONSE {


if { [HTTP::is_redirect] } {


if { [string tolower [URI::host [HTTP::header Location]]] conta


ins "<yourdomain.com>" and [URI::protocol [HTTP::header Location]] equals "http"


} {


HTTP::header replace Location [string replace [HTTP::he


ader Location] 0 3 https]


}


}


}