Mixed-content error - https webhost, http ipfs gateway


I’m not sure why I’m getting this error and how to fix it. My react website is hosted using HTTPS. At some point I want to call an IPFS service that is hosted using HTTP. At the point the website which is now in my browser, calls ipfs my browser complains of mixed content error. I hope I am describing this correctly. The IPFS server and the webserver are on the same machine (just starting out). I never got this error when testing it and running it on my local machine.

The code we are using looks like this:

import { create } from 'ipfs-http-client'
const client = create(new URL('http://<mydomain>:5002'))
await client.add(<my json data>)

At this point my browser network will say that it’s mixed-content and will not allow me to call that function.

Can anyone point me to the right direction to fix this? I can’t seem to find any help online for 2 days.
Thanks in adance!

No pls, don’t do that, FYI you are allowing everyone to access to your IPFS node, and potentially bad stuff like run malicious code on your node.

The API is private and must not be exposed publicly with authentication.

The mixed content is just because your website is https and you try to fetch an http ressource.
In local it is fine because localhost is exampted from mixed content issues.

Thanks I was able to redirect https:// using ProxyPass, anything from subdirectory api or ipfs to the localhost one that is serving the website.

I’m not sure what you mean by everyone can access it to run malicious code on my node? What should I do instead? Would redirecting only api and ipfs alleviate any risk of that? I’m not sure any node is willing host the files people put on my website, so I need to be the leader having my own node to host them first which means it needs to be accessible by anyone using the website. Any advice would be appreciated. Ty!

Create code that allows filter what people do on your node. Or use a third party service that have per user sub keys like web3.storage.

With your current setup, someone could maybe use the /api/v0/config/edit and the MFS to mount to something like /bin/ and replace your binaries by malicious executable. (note that is very unlikely and require a badly setuped server)

On a more likely note (100% doable, doesn’t require a bad node setup), people can use the node to pin whatever content they want, remove other pinned content, shutdown it, garble the config so it can’t run anymore, leak the private keys and dos you in the DHT, …