Related

How did my database got hacked ? Question Question
Connect to DB installed into dedicated VPS (private networking) Question Question

Question

Strapi droplet is not secure(using only http) causing an error to login

Posted November 15, 2020 1.3k views
SecurityDigitalOcean DropletsStrapi

I created a website using ‘Gatsby.js’ and tried to use Strapi droplet which is hosted in digitalocean.
However after I added all the data to the backend and tried to log in my website, I see this error and can’t log in:

**login.js:25 Mixed Content: The page at 'https://myWebsite.com/login' was loaded over HTTPS, but requested an insecure resource 'http://188.1xx.1xx.251/auth/local'. 
This request has been blocked; the content must be served over HTTPS.**

So I looked at my droplet and found out that it’s not using https!
http://188.1xx.1xx.251/auth/local

When I created this site, I didn’t use ssl option. So I created another droplet which is using ssl, but it still using 'http’, not 'https’.

So my website is pretty much useless since I can’t log in.
Is there anybody who can help me with this please?

Add a comment
izzyangelworld
By:
izzyangelworld
edited by bobbyiliev

Related

How did my database got hacked ? Question Question
Connect to DB installed into dedicated VPS (private networking) Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
3 answers
bobbyiliev November 16, 2020

Hi there @izzyangelworld,

I believe that you have to edit your Strapi config and specify your domain name as the host rather than your Droplet’s IP address, that way the resources will be loaded directly from your domain rather than your IP address, which will fix the mixed content error.

You can take a look at how to do that here:

https://strapi.io/documentation/v3.x/deployment/nginx-proxy.html#strapi-server

Regards,
Bobby

Reply Report
  • ejp421 December 18, 2020

    Hi Bobby,

    I’m currently having a very similar issue but that doesn’t seem to resolve it for me.

    When I try to access my Admin panel, it throws this error:

    Mixed Content: The page at 'https://mydomain.dev/admin' was loaded over HTTPS, but requested an insecure resource 'http://XX.XXX.XX.XXX/admin/init'. This request has been blocked; the content must be served over HTTPS.

    I’ve gone through the guide and edited strapi.conf:

    server {
    # Listen HTTP
    listen 80;
    server_name mydomain.dev;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    # Listen HTTPS
    listen 443 ssl;
    server_name mydomain.dev;

    # SSL config
    ssl_certificate /etc/letsencrypt/live/mydomain.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.dev/privkey.pem;

    # Proxy Config
    location / {
        proxy_pass http://strapi;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass_request_headers on;
    }
}

    upstream.conf:

    # Strapi server
upstream strapi {
    server mydomain.dev:1337;
}

    and Strapi’s server.js:

    module.exports = ({ env }) => ({
  host: env('HOST', '0.0.0.0'),
  port: env.int('PORT', 1337),
  url: 'https://mydomain.dev',
  admin: {
    auth: {
      secret: env('ADMIN_JWT_SECRET'),
    },
  },
});

    along with the existing .env file just in case:

    NGINX_URL=https://mydomain.dev

    I restarted nginx, Strapi, and the droplet itself but it’s still throwing the same mixed content error

    Reply Report
    • bobbyiliev December 21, 2020

      Hi there,

      Your Strapi and Nginx configs look correct. However I think that te error indicates that the 'http://XX.XXX.XX.XXX/admin/init' Strapi URL is set to the server’s IP address.

      Have you tried clearing the cache of your browser to make sure that it has loaded the correct Strapi configuration where you’ve specified your domain name as the URL and https?

      Regards,
      Bobby

      Reply Report
BMarijuan February 2, 2021

Hello,

Any updates on the above? I am having the exact same issue on my droplet…

Reply Report
TomThats February 22, 2021

Had the same error after installing SSL certificate.

You have to rebuild the admin panel by doing so:

# go to your strapi folder, if you used the one-click droplet its probably this one
cd /srv/strapi/strapi-development

# rebuild your admin panel with npm/yarn
yarn run build

Then restart / reload everything just to make sure

Reply Report

Related

Looking for something else?

Ask a new question Search for more help