When I run my app locally (http) it works fine.
When I run it on Railway (https) it works fine.
When I run it on fly.io (http) it works fine.

But after I enabled https on fly.io, when my login screen loads in the browser, I see this in the browser console:

Mixed Content: The page at 'https://dbme.app/sw.js' was loaded over HTTPS, but requested an insecure resource 'http://dbme.app/login'. This request has been blocked; the content must be served over HTTPS.

sw.js:1 Uncaught (in promise) TypeError: Failed to fetch
    at X.fetch (sw.js:1:3960)
    at d._handleInstall (sw.js:1:8482)
    at d._handle (sw.js:1:7953)
    at async d._getResponse (sw.js:1:7010)

I am using JDK 21 + Spring Boot 3.2.2 + Vaadin Flow 24.3.3

The Vaadin team has told me:

===
If the application is behind a reverse proxy, double check that both sides are configured to handle X-Forwarded headers

I have no clue how to check or adjust this in fly.io.

Any help is appreciated.

Matt M.

Has no one else here encountered this similar issue and solved it?

Hi @dbME—Fly.io’s reverse proxy sets all of the X-Forwarded headers listed here by default, so you shouldn’t have to do anything on the Fly.io side to have them sent to your app. (The debug.fly.dev app echoes back all of the headers that it receives, so you can also see which headers are set there.)

I’m not familiar with Spring Boot or Vaadin, though, so unfortunately I can’t provide any advice about configuring your app to use these headers.

(One other thing to be aware of: the X-Forwarded headers can be overridden by clients. If this is undesirable or insecure for your app, then the Fly-Forwarded-Proto header has the same function as X-Forwarded-Proto but is not overridable.)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.