Not able to upload annotations on a https end point

[NarenZen]

When I upload annotations zip, I get the below error

Mixed Content: The page at 'https://cvat01.myprezent.com/tasks/4' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://cvat01.myprezent.com/api/tasks/4/annotations/1e890edc-d32f-494c-96cc-6935ce828501'. This request has been blocked; the content must be served over HTTPS.
(anonymous) @ cvat-ui.c901a1e9f80749471ab0.min.js:2
cvat-ui.c901a1e9f80749471ab0.min.js:2 Error: tus: failed to upload chunk at offset 0, caused by [object ProgressEvent], originated from request (method: PATCH, url: http://cvat01.myprezent.com/api/tasks/4/annotations/1e890edc-d32f-494c-96cc-6935ce828501, response code: n/a, response text: n/a, request id: n/a).

[bsekachev]

@NarenZen

Please, provide a version of CVAT you are using and commit hash.

[bsekachev]

I will close the issue, please do not hesitate to reopen if you can provide the requested information

[NarenZen]

Latest code., which is there on github

…

On Thu, 25 Aug, 2022, 6:47 pm Boris Sekachev, ***@***.***> wrote: @NarenZen <https://github.com/NarenZen> Please, provide a version of CVAT you are using and commit hash. — Reply to this email directly, view it on GitHub <#4843 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASVWSO72HSEBEGZQUEG5AJTV25W75ANCNFSM57S6E3FQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[loidy]

I have the same problem

[gumshoes]

Same issue with 2.2.0, unfortunately this makes CVAT difficult to host behind HTTPS.
For now I have resorted to hosting HTTPS for users that don't do any uploads and a special entry point over HTTP on a VPN for users that have to do uploads.
Anyone have a better solution?

[bsekachev]

On https://app.cvat.ai we have https protocol and everything works fine there, so, need to understand where specifics are.
So, please provide as many details as possible, including exact git hash as I asked before..

[azhavoro]

@gumshoes If you have deployed CVAT behind a reverse proxy, make sure your proxy is correctly forwarding the X_FORWARDED_PROTO header, this header is required for CVAT to determine the correct protocol.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

[loidy]

@azhavoro we are using nginx reverse proxy with proxy_set_header X-Forwarded-Proto "https"; set and it still doesn't work

[azhavoro]

@loidy Ok, please add --log.level=DEBUG to other command arguments here https://github.com/opencv/cvat/blob/develop/docker-compose.yml#L162, restart with docker compose up -d and try to upload file. Atfter dump logs with docker logs traefik > traefik.log and attach here.

[gumshoes]

My setup is CVAT deployed via the Helm in git running in AWS EKS cluster with ingress provided by Traefik and an AWS NLB that does the SSL termination.
The browser error is:
Mixed content: The Page at 'https://<REDACTED>/projects?page=1' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<REDACTED>/api/projects/backup/<UUID>'. This request has been blocked; the content must be served over HTTPS.

[jakiro2017]

Hello I found out the reason was traefik rewrite the header, if not trust the reverse proxy in front of it.

TLDR:
add "- --entryPoints.web.forwardedHeaders.trustedIPs=ip_proxy/mask" to traefik in docker-compose.yml

Ref:
traefik/traefik#5551

[jevansbio]

I have this issue when trying to upload files as well with cvat running on https.

[azhavoro]

I believe that the cause and solution have been found, the issue can be closed
@jevansbio try this #4843 (comment)

[jevansbio]

I had tried it, but it didn't work as in my case the request never actually hit traefik, the browser seemed to change it and block before it got anywhere. I fixed it by adding:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

To the header of the template.

[baudneo]

Hi, I am experiencing the same. I will try both methods and report back.

I use CloudFlare and CloudFlare tunnels to proxy to cvat.

Thanks @azhavoro for pointing me towards a fix!

[baudneo]

Adding CloudFlare ips to the traefik command worked for me.

- '--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22'

[Fred-Erik]

This doesn't work anymore in the newest CVAT. Turns out that if you set a flag for traefik in docker-compose.yaml it disables the other settings, which CVAT now sets using environment variables. So do apply this fix in the latest CVAT, add the following line under traefik -> environment:

TRAEFIK_ENTRYPOINTS_web_FORWARDEDHEADERS_TRUSTEDIPS: <my proxy ips>