Skip to content

Fix for Mixed Content Error on Flame Graph Download #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dkorlovs wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix for Mixed Content Error on Flame Graph Download #75

dkorlovs wants to merge 1 commit into from

Conversation

@dkorlovs
Copy link

@dkorlovs dkorlovs commented Oct 21, 2025

Fix for Mixed Content Error on Flame Graph Download

Problem

When attempting to download a flame graph SVG file over HTTPS, Chrome browser was blocking the download with the following error:

Mixed Content: The site at 'https://gprofiler.domain.com/' was loaded over a secure connection, 
but the file at 'https://gprofiler.domain.com/api/flamegraph/download_svg?...' was redirected 
through an insecure connection.

Root Cause

The nginx reverse proxy was not forwarding the necessary headers to inform the backend application (FastAPI/Gunicorn) that the original request was made over HTTPS. This caused the backend to potentially generate HTTP redirects or URLs instead of HTTPS ones.

Solution

Two files were updated to fix this issue:

1. /deploy/https_nginx.conf

Added proxy headers to all location blocks to preserve the original HTTPS protocol information:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

These headers tell the backend:

  • X-Forwarded-Proto: The original protocol (https)
  • X-Forwarded-Host: The original host
  • X-Forwarded-Port: The original port
  • X-Forwarded-For: The client's real IP address

2. /src/gprofiler/run.sh

Added the --forwarded-allow-ips='*' flag to the gunicorn command line to make it trust and process the X-Forwarded-* headers:

--forwarded-allow-ips='*'

This tells Gunicorn/Uvicorn to trust the forwarded headers from the nginx proxy and use them when building URLs.

Deployment

After applying these changes:

  1. Rebuild the Docker images:

    cd deploy
docker-compose build webapp

  2. Restart the services:

    docker-compose restart webapp
docker-compose restart nginx  # if nginx is in docker-compose

    Or if nginx is running separately:

    nginx -t  # test configuration
nginx -s reload  # reload configuration

Testing

To verify the fix:

  1. Access the application over HTTPS
  2. Navigate to a flame graph view
  3. Click the "Download Flame Graph" button
  4. The file should now download successfully without mixed content warnings in the browser console

Security Note

The --forwarded-allow-ips='*' setting trusts all proxies. In a production environment with multiple proxy layers, you may want to restrict this to specific IP addresses or networks for better security.

@mlim19
Copy link
Contributor

mlim19 commented Oct 22, 2025

Looks good to me. @prashantbytesyntax , can you try this solution and let us know if it works for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mlim19 mlim19 Awaiting requested review from mlim19

@skamerintel skamerintel Awaiting requested review from skamerintel

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dkorlovs @mlim19