Fixing Mixed Content Issues in OnlyOffice: Forcing HTTPS for All Requests

kerbymart · 24 February 2025 06:08

I’m running a local OnlyOffice Workspace installation and making it publicly accessible through a tunnel (via pangolin). While the main site is reachable over HTTPS, the editor fails to load because the OnlyOffice SDK seems to be requesting a non-HTTPS (HTTP) endpoint, leading to a Mixed Content error.

I’m trying to figure out what might be causing these HTTP requests. Is there a configuration option—either in OnlyOffice or on the server side—that can force HTTPS usage for all requests? If anyone has encountered a similar issue or knows how to configure OnlyOffice to strictly use HTTPS.

sdk-all-min.js:543 Mixed Content: The page at 'https://onlyoffice-workspace.<TUNNEL_DOMAIN>/Products/Files/DocEditor.aspx?fileid=4' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<SUBDOMAIN>.<TUNNEL_DOMAIN>/ds-vpath/cache/files/data/Vhk5wuA…&shardkey=VhkSwuAgFPO8Emav1hDKsEsPOdykuUA123Rzvc1xGU8_&filename=Editor.bin'. This request has been blocked; the content must be served over HTTPS.
Ya @ sdk-all-min.js:543

Additional issues encountered: |

Access to manifest at 'https://proxy.<TUNNEL_DOMAIN>/auth/resource/1?redirect=https%3A%2F%2Fonlyoffice-workspace.portpunch.lol%2Fmanifest.json' (redirected from 'https://onlyoffice-workspace.<TUNNEL_DOMAIN>/manifest.json') from origin 'https://onlyoffice-workspace.<TUNNEL_DOMAIN>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Alexandre · 24 February 2025 07:17

Hello @kerbymart
It seems that the issue is related to your network settings, I’ve posted a link to proxy config samples (Exposing a behind-NAT OnlyOffice Workspace Service via SSH reverse tunnel - #2 by Alexandre) in your another thread, I hope it can be useful with pangolin. Unfortunately, we haven’t tested pangolin to share ready-to-go solution.

kerbymart · 24 February 2025 08:56

Hi, I saw the guide and it looks promising. However, I installed OnlyOffice Workspace using the script with DEB packages. I already configured Pangolin to forward the HTTP with the traefik config:

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
    add-x-forwarded-proto:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https

Even with this setup, the OnlyOffice (backend) doesn’t serve HTTPs URLs, still having the Mixed-Content issue. Which OnlyOffice Workspace logs should I check to see if they are being hit with the correct headers?

Alexandre · 27 February 2025 08:49

Sadly, we don’t have ready-to-go traefik config for Workspace, but probably this headers might change the situation:

      - "traefik.http.routers.ds-web.middlewares=onlyoffice-headers"
      - "traefik.http.middlewares.onlyoffice-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.onlyoffice-headers.headers.accessControlAllowOrigin=*"

Please try it and let us know the result.

fuser · 22 March 2025 07:26

The solution for me was to add the X-Forwarded-Proto header. The accessControlAllowOrigin header seems not be necessary.

kerbymart · 27 March 2025 14:08

How do you configure Traefik if OnlyOffice Workspace was installed through the script and not Docker?

Alexandre · 31 March 2025 15:01

Unfortunately, there’s no ready-to-go config sample for the workspace. However, the mentioned headers might be useful, and the installation type shouldn’t affect the situation. Please let us know the result.