mixed content issues

[puschmie]

I stumbled accross some issues with the docker container.
Firefox as well as Chrome prohibit the use of mixed content from http and https sources.
the bludit image apparently uses http for internal ressources.
My quick and dirty fix was to add
add_header Content-Security-Policy "upgrade-insecure-requests;"
to default.conf in the running docker container.
If I'm not mistaken this will only solve the issue for modern browsers though, long term it would probably be better to upgrade the internal ressource loading to https.
I tried to open a pull request to implement this fix, but couldn't.
Would be very cool if this would be implemented. Just following the setup instructions doesn't lead to success in a production environment.

[dignajar]

Hi,
the docker image uses his own nginx and doesn't have TLS support, so internally is via HTTP.
If you want to add TLS you need to create your own Dockerfile and add the certificates and configure Nginx for use them.

[puschmie]

I'm running the image behind a nginx reverse proxy because I have multiple services on the same server.
I'm also not a pro at nginx configuration so I'm not quite sure how to go about this

[dignajar]

Have you tried to configure in Bludit settings the domain with the https:// ?

[puschmie]

no. because of the mixed content issues I can't access the admin panel :/ I guess it has something todo with the whole setup and how the nginx reverse proxy takes care of SSL certificates.

[jasminhacker]

I ran into the same problem when using nginx-proxy. I solved it by initializing bludit via http. Disabling https redirection can be done with these environment variables:

    environment:
      - HTTPS_METHOD=noredirect
      - HSTS=off

If you visited the page before, you need to clear the HSTS cache in order to access the unsecured page. Other nginx proxy solutions should have similar options.
Now bludit is accessible and the url can be changed in the settings to https://... as @dignajar suggested. Afterwards you can enable https redirection and hsts again. You probably also want to change the admin password over the secured connection.