restricting http to https redirect for the url containing arduino text

Question

I have HTTP to HTTPS redirect configured in server, to display json data coming from arduino MCU on port 8090 I need to restrict http to https redirect, so following this I have configured my apache web server to below

<VirtualHost *:80>
      RewriteEngine on
      ServerName     192.168.1.45

      # force ssl
      RewriteCond     %{SERVER_PORT} ^80$
      RewriteRule     ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

      # force HTTP for /arduino
      RewriteCond    %{HTTPS} =on
      RewriteRule    ^(arduino) http://%{SERVER_NAME}%{REQUEST_URI} [L,R]

</VirtualHost>

then I restarted apache server and refreshed the page but I am still getting the error in browser console saying:

[Warning] [blocked] The page at https://www.example.com/arduino/gauge.htm was not allowed to display insecure content from http://www.example.com:8090/json. (jquery.min.js, line 5)

I have even tried :

<VirtualHost *:80>
      RewriteEngine on
      ServerName     192.168.1.45

      # force ssl
      RewriteCond     %{SERVER_PORT} ^80$
      RewriteRule     ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

      # force HTTP for /json
      RewriteCond    %(SERVER_PORT} ^8090
      RewriteCond    %{HTTPS} =on
      RewriteRule    ^(json) http://%{SERVER_NAME}%{REQUEST_URI} [L,R]

</VirtualHost>

but it doesnt work. same error in console, any help will be greatly appreciated.

Answer 1

I suspect that the issue is in the browser (client) not in your server config. For security reasons most of modern browser blocks all http requests when you get a page from https domain, in your case: https://san.gotdns.ch/arduino/gauge.htm

In MDN:

Starting with Firefox 23, Firefox blocks active mixed content by default. This follows a practice adopted by Internet Explorer (since version 9) and Chrome.

Maybe this article could be useful for you:

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content

The interesting part:

How to fix your website

The best strategy to avoid mixed content blocking is to serve all the content as HTTPS instead of HTTP.

For your own domain, serve all content as HTTPS and fix your links. Often, the HTTPS version of the content already exists and this just requires adding an "s" to links - http:// to https://.

However, in some cases, the path may just be incorrect to the media in question. There are online as well as offline tools (depending on your operating system) such as linkchecker to help resolve this.

For other domains, use the site's HTTPS version if available. If HTTPS is not available, you can try contacting the domain and asking them if they can make the content available via HTTPS.