R
Railway14mo ago
p1gp3n

Mixed Content error: HTTP vs. HTTPS

I have a Railway/React/Vite frontend accessing a Railway/Fastapi backend, and my frontend receives the following error: Mixed Content: The page at 'https://domain' was loaded over HTTPS, but requested an insecure resource 'http://domain'. This request has been blocked; the content must be served over HTTPS. The URL does indicate https, but it seems Railway is trying to serve it on HTTP, which is rejected by the browser.
Strangely, it seems to only occur on the first request to the backend. Clicking to another page and returning, no longer an error.
I have been looking to see if I can change a Railway setting to force HTTPS. I do see under settings Railway explicitly mentions that I can acess my app over HTTP (see image) but this is not what I want. Project ID: ac828fce-6f54-43e9-825c-ac4871d226ba
No description
34 Replies
Percy
Percy14mo ago
Project ID: ac828fce-6f54-43e9-825c-ac4871d226ba
Brody
Brody14mo ago
railway is not requesting something over http, this is your app doing that, since railway runs your code as is please share the frontends repo
p1gp3n
p1gp3n14mo ago
my app uses this url (with https) as the base url and appends the api endpoint to each call, so it always asks for https. i don't have any references to 'http:' in my app
No description
Brody
Brody14mo ago
prepend*
p1gp3n
p1gp3n14mo ago
yes, prepends
Brody
Brody14mo ago
send me the frontends domain please
p1gp3n
p1gp3n14mo ago
utilitygpt-stage.up.railway.app
Brody
Brody14mo ago
in clickable form please
Brody
Brody14mo ago
and send your package.json as a file
p1gp3n
p1gp3n14mo ago
that's staging. prod is here: https://utly.ai/
Brody
Brody14mo ago
not that it's causing this problem, but you are serving an spa app without putting serve into spa mode
p1gp3n
p1gp3n14mo ago
thanks- will take a look
Brody
Brody14mo ago
the start command you want is serve -s -n -L -p $PORT i dont see any http requests?
p1gp3n
p1gp3n14mo ago
it tends to be intermittent. you can see below this 307 error. it's requesting the resource at HTTP vs. HTTPS
No description
Brody
Brody14mo ago
the 307 is a redirect code, your frontend is fine, your backend is sending the redirect to a non https location
Brody
Brody14mo ago
No description
Brody
Brody14mo ago
so this is a code issue with the backend
p1gp3n
p1gp3n14mo ago
my backend code has no reference to http. i just start it with uvicorn
Brody
Brody14mo ago
some kind of middleware or something, this is a code issue I assure you, railway is not sending the 307, your app is
p1gp3n
p1gp3n14mo ago
what's strange is it is intermittent. if i refresh the page, it goes away. sometimes i can just hit the page and the issue isn't there. our only middleware is cors and logging
Brody
Brody14mo ago
I see that it is a redirect to a location without a trailing slash the request has a trailing slash, and the redirect location does not
p1gp3n
p1gp3n14mo ago
but why does the redirect send to http?
Brody
Brody14mo ago
you haven't trusted the proxy's headers so your app thinks it's being requested over http, therefore it redirects to http as well
p1gp3n
p1gp3n14mo ago
we haven't setup a proxy in our frontend deployment. is this recommended, and if so, are there railway guidelines for this? regarding the trailing slash, this is the way that route is setup:
@router.get("/byemail/{email}", response_model=User)
@router.get("/byemail/{email}", response_model=User)
(with the trailing slash)
Brody
Brody14mo ago
I'm talking about railways proxy you make a request via https to railways proxy, railways proxy forwards that request to your app via http, it attaches an X-Forwarded-Proto header that's equal to https, so that if needed your app would know what the original users request was made with, but you haven't trusted that header, so your app still thinks the request was done with http
p1gp3n
p1gp3n14mo ago
ok. i believe there's a uvicorn command to trust the reverse proxy
Brody
Brody14mo ago
sounds about right
p1gp3n
p1gp3n14mo ago
let me try that...
Brody
Brody14mo ago
sounds good
p1gp3n
p1gp3n14mo ago
tried updating the dockerfile's uvicorn command, but issue is still intermittently there. fyi did this:
CMD uvicorn electricgptapi.main:app --host 0.0.0.0 --port $PORT --proxy-headers
CMD uvicorn electricgptapi.main:app --host 0.0.0.0 --port $PORT --proxy-headers
do i need to add a specific host to trust railway's reverse proxy?
Brody
Brody14mo ago
that would be a question for uvicorn's documentation
p1gp3n
p1gp3n14mo ago
i'll try this via fastapi
Want results from more Discord servers?
Add your server