Mixed Content being served - can't make changes to issues

Brett Ludwig November 5, 2018

Getting the following error when trying to make changes to an issue (mark as done, etc)

"The JIRA server could not be contacted. This may be a temporary glitch or the server may be down."

If I look at the developer tools, it is trying to make a request over HTTP. The base URL is set to HTTPS already.

I have done setup according to https://confluence.atlassian.com/adminjiraserver073/integrating-jira-with-apache-using-ssl-861253896.html

 

Mixed content console message:

Mixed Content: The page at 'https://jira.[domain]/browse/BEADS-4' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://jira.[domain]/secure/CommentAssignIssue!default.jspa?_=1541458721431&action=21&inline=true&atl_token=[token]'. This request has been blocked; the content must be served over HTTPS.

It is also trying to load profile images over HTTP. Not sure why it is ignoring the base URL setting as HTTPS. 

2 answers

1 accepted

2 votes
Answer accepted
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 6, 2018

I have seen this happen before. Just because you have the base url in Jira set to use HTTPS, that doesn't mean that Tomcat (jira's web server) understands where traffic routed to it is coming from.  When I have seen this mixed contain message it's because a configuration setting has been missed.

I would return to your $JIRAINSTALL/conf/bin/server.xml file.   In that file, you should have added the following parameters to your <connector>

proxyNameproxyPortscheme

Since we know you're using apache to proxy the information, you probably need to set the proxyName value equal to your jira.example.com address.   The proxyPort is like 443 if you're using SSL on the default port for https.  And the scheme here should be https.  So your connector should look something like this:

<Connector 
acceptCount="100" 
disableUploadTimeout="true" 
enableLookups="false" 
maxHttpHeaderSize="8192" 
maxThreads="150" 
minSpareThreads="25" 
port="8443" 
protocol="HTTP/1.1" 
useBodyEncodingForURI="true"
proxyName=jira.example.com
proxyPort="443"
scheme="https"
/>

If these are not set yet, you need to add them, save this file, and then restart Jira again for these to take effect.

Brett Ludwig November 7, 2018

That is pretty close to what I had, I played around with port and proxyport, but I didn't notice any change after restarting the JIRA server with those settings. I didn't find the server.xml in the /bin/ directory as you mentioned, though, it was in the conf directory. Is there a discrepancy there? 

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 9, 2018

Sorry, that was my typo.  The file location does exist in the $JIRAINSTALL/conf/ directory only.

What version of Jira is this?  

Could you share with us the content of your current server.xml file?   Specifically any/all <Connector> tags you might have.  I'm not looking for keystore/password information, just trying to understand your settings better.

Brett Ludwig November 19, 2018

JIRA v6.4.9



<Service name="Catalina">

<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"/>


<Connector port="8443" protocol="HTTP/1.1"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
proxyname="jira.[myserver]" proxyPort="443"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="false"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>

 

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 19, 2018

Ok, that looks typical.  You have two connectors where you can reach jira: 8080 and 8443.   You can get this mixed content type error in two different ways with this setup.

  1. One way you can get this is to have the Base URL in Jira set to use the http/8080 address but still try to access the site over the HTTPS address.
  2. The other way would be to set the base url to the HTTPS address and in turn try to access the site over the http connector.  

Basically, Jira is trying to contact itself at whatever base url you have set.  If you're connecting to the site over the other connector, it is possible you would be getting this kind of mixed content error.

Does this help?  Can you confirm what values you have set in the base url vs. the address that you are accessing Jira at when you see this issue?

Brett Ludwig December 4, 2018

Base URL is  https://jira.[mydomain]. 

 

Address I am accessing JIRA when I see the issue is:

https://jira.[mydomain]/secure/Dashboard.jspa

Brett Ludwig December 4, 2018

Apache conf:

 

<VirtualHost *:443>
ServerName jira.[mydomain]
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile ~~~~~~~~~~~~~~~~~
SSLCertificateKeyFile ~~~~~~~~~~~~~~~~
</VirtualHost>

 

<VirtualHost *:80>
ServerName jira.[mydomain]
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RewriteEngine on
RewriteCond %{SERVER_NAME} =jira.[mydomain] [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 7, 2018

OK, so I can see something here that I think is the cause of this mixed content error.  Your apache conf looks ok to me.  However Apache is redirecting all the traffic it receives on port 443 to Jira's tomcat site which is using port 8080.  The connector you have in Jira for port 8080 is not setup to use the proxyName, proxyPort, or scheme parameters.  They should be in this case.

If you leave the apache config as is, I think you can fix this problem by adding

proxyname="jira.[myserver]" 
proxyPort="443"
scheme="https"

to your connector on port 8080.  Save these changes, and then restart Jira for these to take effect.

With the settings you currently have, Jira's Tomcat is not properly being made aware that traffic to it is being redirected from your apache.

Like flant_charlie likes this
Brett Ludwig December 7, 2018

That fixed it, thanks!

0 votes
vmadaan August 11, 2020

Hello 

 

I am having same issue.

proxyNameproxyPortscheme did not work

 

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure script '<URL>'. This request has been blocked; the content must be served over HTTPS.

This started happening after we changed the jira from http to https

Base URL: https://jira.***com:8443

My Server.xml file looks like:

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;" useBodyEncodingForURI="true"/>


<Engine defaultHost="localhost" name="Catalina">
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">

<Context docBase="${catalina.home}/atlassian-jira" path="" reloadable="false" useHttpOnly="true">
<Resource auth="Container" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60" name="UserTransaction" type="javax.transaction.UserTransaction"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120"/>
</Context>

</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
</Engine>

 

<Connector SSLEnabled="true" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="jira.***.com" keystoreFile="D:\Atlassian\Application Data\JIRA\jira.***.com.jks" keystorePass="******" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 19, 2020

The use of proxyName and proxyPort is really only appropriate for when you have a reverse proxy in front of Jira, such as Apache, nginx, IIS, etc.  In your case, it looks like you are terminating SSL directly in Jira's Tomcat container.  That's fine to do, but you don't need those parameters in that case.

From looking at your config file, I think your connector using port 8443 has a

secure="false" 

when it should be

secure="true"

This is also cited in the guide Running Jira applications over SSL or HTTPS , which is more appropriated for this kind of configuration.

Try changing that, save the file, and then restart Jira.  If you're still seeing that same error, then I'd be interested to learn more about what URL you are visiting in Jira when you see this.  Is this the same as the base URL set within Jira's system settings?

Suggest an answer

Log in or Sign up to answer