OAS DV embed fails behind HTTPS WAF due to mixed content (HTTP JS includes)

Ganim Altiok

Hello,

I have Oracle Analytics Server (OAS) where a DV workbook is embedded into an OAS dashboard.

Everything works fine when accessing OAS directly via http://server:9502.

We placed a WAF in front of OAS and now access it via an HTTPS URL.

The WAF terminates HTTPS and forwards traffic to OAS over HTTP (9502).

OAS itself has no SSL configured.

When accessing the dashboard through the HTTPS WAF URL, the DV embed fails due to mixed content errors:

• The page is loaded over HTTPS
• embedding.js generates HTTP URLs for additional JS resources
• Browsers block these HTTP includes

It seems OAS generates resource URLs based on its internal HTTP protocol, not the external HTTPS request.

Questions:

• Is there a supported way to tell OAS it is behind an HTTPS reverse proxy / WAF?
• Can OAS be configured to always generate HTTPS URLs for DV embedded resources?

Thanks in advance.

Gianni Ceresa

Hi,

Did you configure your WAF with the extra headers to let OAS know it is acting as ssl offloading proxy in front of your OAS?

Typically the header "WL-Proxy-SSL" with a value of "true" should be used to tell OAS that your proxy (your WAF) is doing the SSL job and terminate the SSL connection there.

If you didn't configure your OAS to be used with a proxy in front, you can find all the steps required, including the handling of the SSL that you are facing, in https://support.oracle.com/support/?anchorId=&kmContentId=2852206&page=sptemplate&sptemplate=km-article