Client sent an HTTP request to an HTTPS server.
jsemrau opened this issue · 9 comments
Observed behavior:
When connecting to the API https:///get-exchange-rate, i.e., I get a
CORS Missing Allow Origin "Client sent an HTTP request to an HTTPS server."
Configuration:
- VPS with fixed IP and domain.
- api and domain are pointing to the node
- Replaced bitclout.me with domain in nginx.dev
- added Content-Security-Policy in Caddyfile
- SSL has been added to the nginx.dev (letsencrypt)
Expected behaviour:
API connects to the backend.
Are you using subdomain for your node or root? I think I saw a similar error when I tried to use a subdomain for my node.
I don't have a subdomain for the node only for the API. Per doc that is instructed :
Deploy your node on any cloud provider with a static IP to make it accessible to anyone on the internet.
If you do this, you must point two domains at your node. domain.com and api.domain.com.
Maybe this curl trace might give some insights. I believe Nginx is incorrectly configured.
* SSL certificate verify ok.
GET / HTTP/1.1
Host: <api.domain>
User-Agent: curl/7.74.0
Accept: /
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- old SSL session ID is stale, removing
- Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Server: nginx/1.19.10
< Date: Wed, 28 Apr 2021 15:06:51 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
<
Client sent an HTTP request to an HTTPS server. - Connection #0 to host <api.domain> left intact
The only other times ive had issues with CORS and the api on self hosted node is when something goes wrong with the login session / identify.bitclout.com. Eg just now I got cors errors on api.domain.com/admin/* routes on my mobile, while desktop was fine. Logging out of both bitclout.com and my own node, then log back into node - resolved it on mobile and did not cause issues on desktop.
Earlier today I had the corse issues on desktop but not on mobile.
Are you using subdomain for your node or root? I think I saw a similar error when I tried to use a subdomain for my node.
Is this confirmed as an issue? may explain problem i'm having trying to setup with real domain and ssl.
I'm trying as follows...
bitclout.mydomainname.com
api.bitclout.mydomainname.com
(As opposed to mydomainname.com and api.mydomainname.com)
SSL is all setup properly with letsencrypt and confirmed valid and working (for both subdomains).
Can browse to the website and get the login/signup page, try to signin and get the security pop up (although i don't see identity.bitclout.com mentioned?!) - but then nothing, just stays on login page.
Would love to know if this could be fixed if it is the sub-subdomain issue
Further to that, could this be the issue? (api only appended if environment is production)
in src/app/global-vars.service.ts
if (!this.localNode) {
const hostname = (window as any).location.hostname;
if (environment.production) {
this.localNode = `api.${hostname}`;
} else {
this.localNode = `${hostname}:17001`;
}
this.backendApi.SetStorage(this.backendApi.LastLocalNodeKey, this.localNode);
}
Is this confirmed as an issue?
i cant test this as I use cloudflare for SSL and they only support 1 level subdomain (sub.domain.com), not supporting sub.sub.domain.com.
but then nothing, just stays on login page.
check web dev console - most likely it will show CSP errors.
Further to that, could this be the issue? (api only appended if environment is production)
Thats no longer present since they moved api onto the root domain /api/ folder
It is now:
this.localNode = hostname;
If your nodes code is still showing this.localNode = api.${hostname}; i suggest you take down the containers, pull latest changes from repo and bring containers back up with fresh images.
First of all- sorry i didn't meant to hijack this issue!
Hi tijno - sorry yes you are absolutely right, i thought i had pulled latest frontend, but hadn't!
However, i do still appear to be having the login issue with my node (using the latest pulled "run" repo)
Re API - I don't suppose anyone has a nice export of a postman collection?
Even just a simple api call for e.g. {{host}}/api/v0/get-single-profile would be good, just to see if/what i'm missing from the request.
Thanks - I'll try not to hijack threads again (sorry jsemrau !)
I believe this is fixed. Please reopen if you're still experiencing this issue.