Stewardship Tier static pages are a feature that allows external HTML content to be embedded, and this feature has been used to successfully embed various strategic-partner’s content into the Stewardship Tier. If the Stewardship Tier has been configured to use HTTPS then the embedded content must also be delivered by HTTPS. See this article for full details https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content.
Issue
If the embedded content is only available over HTTP then it will be blocked by the browser and messages similar to the image below are written to the console.
In the example above, IIS has been configured to support HTTPS for the Stewardship Tier yet the data lineage Tomcat server is only configured to support HTTP, so the embedded content is not displayed.
In theory, the easiest way to solve this problem is to configure all web servers to deliver content over HTTPS, but this may not be possible. However, it is possible to configure a reverse proxy in IIS to deliver the insecure content securely. As an example, consider the following configuration that results in blocked content.
- Stewardship Tier
- URL https://DSP_SERVER/dsp
- Server DSP_SERVER
- Port 443
- Path /dsp
- Embedded Data Lineage
- URL http://LINEAGE_SERVER:8080/RaaS
- Server LINEAGE_SERVER
- Port 8080
- Path /RaaS
With a reverse proxy configured we can deliver the Data Lineage content securely via
https://DSP_SERVER/RaaS
Solution: Configure a Reverse Proxy in IIS
- Install the URL Rewrite component from Microsoft into IIS.
- Install Application Request Routing (from Microsoft) into IIS.
- Add a new empty application in IIS. In this example we use the same alias (RaaS) as the application we’re routing to.
- Select the URL Rewrite option for the new application.
- Add a new rule.
- Select Reverse Proxy.
- Configure the inbound rule to forward requests to the backend server and use SSL Offloading to forward the HTTPS request over HTTP.
The configuration is complete, requests to the secure server will be forwarded to the insecure server and results will be delivered back to the browser over HTTPS, for example a request to https://secureserver/RaaS will be redirected by IIS to http://localhost:8080/RaaS.
The Stewardship Tier static page can now be adjusted to use the secure URL.