Mixed mode SSL connection caused by project's avatar (#9692) · Issues · gpt / large_projects / gitlabhq1

Mixed mode SSL connection caused by project's avatar

Created by: xperseguers

Your connection to git.example.com is encrypted using a modern cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

Everything is properly using https except:

Project's avatars, which are included as http://git.example.com:443/uploads/project/avatar/14/myproject.gif (mind the http:// and :443) which gets loaded over https anyway due to the non authoritative reason of having HSTS active

SSL configuration is done from end to end (well... nginx):

CloudFlare (SSL) <---> Nginx (SSL) <---> Nginx GitLab (SSL) <---> GitLab

gitlab.yml is using "standard" https configuration:

production: &base
  #
  #1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
    ## Web server settings
    host: git.example.com
    port: 443
    https: true