cvat icon indicating copy to clipboard operation
cvat copied to clipboard

Published 20 hours ago verified publisher icon cvat-ai

Not able to upload annotations on a https end point

Open NarenZen opened this issue 2 years ago • 10 comments

When I upload annotations zip, I get the below error

Mixed Content: The page at 'https://cvat01.myprezent.com/tasks/4' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://cvat01.myprezent.com/api/tasks/4/annotations/1e890edc-d32f-494c-96cc-6935ce828501'. This request has been blocked; the content must be served over HTTPS.
(anonymous) @ cvat-ui.c901a1e9f80749471ab0.min.js:2
cvat-ui.c901a1e9f80749471ab0.min.js:2 Error: tus: failed to upload chunk at offset 0, caused by [object ProgressEvent], originated from request (method: PATCH, url: http://cvat01.myprezent.com/api/tasks/4/annotations/1e890edc-d32f-494c-96cc-6935ce828501, response code: n/a, response text: n/a, request id: n/a).

NarenZen avatar Aug 25 '22 12:08 NarenZen

@NarenZen

Please, provide a version of CVAT you are using and commit hash.

bsekachev avatar Aug 25 '22 13:08 bsekachev

I will close the issue, please do not hesitate to reopen if you can provide the requested information

bsekachev avatar Sep 15 '22 06:09 bsekachev

Latest code., which is there on github

On Thu, 25 Aug, 2022, 6:47 pm Boris Sekachev, @.***> wrote:

@NarenZen https://github.com/NarenZen

Please, provide a version of CVAT you are using and commit hash.

— Reply to this email directly, view it on GitHub https://github.com/opencv/cvat/issues/4843#issuecomment-1227247068, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASVWSO72HSEBEGZQUEG5AJTV25W75ANCNFSM57S6E3FQ . You are receiving this because you were mentioned.Message ID: @.***>

NarenZen avatar Oct 11 '22 07:10 NarenZen

I have the same problem

loidy avatar Oct 31 '22 13:10 loidy

Same issue with 2.2.0, unfortunately this makes CVAT difficult to host behind HTTPS. For now I have resorted to hosting HTTPS for users that don't do any uploads and a special entry point over HTTP on a VPN for users that have to do uploads. Anyone have a better solution?

gumshoes avatar Oct 31 '22 14:10 gumshoes

On https://app.cvat.ai we have https protocol and everything works fine there, so, need to understand where specifics are. So, please provide as many details as possible, including exact git hash as I asked before..

bsekachev avatar Oct 31 '22 15:10 bsekachev

@gumshoes If you have deployed CVAT behind a reverse proxy, make sure your proxy is correctly forwarding the X_FORWARDED_PROTO header, this header is required for CVAT to determine the correct protocol. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

azhavoro avatar Oct 31 '22 15:10 azhavoro

@azhavoro we are using nginx reverse proxy with proxy_set_header X-Forwarded-Proto "https"; set and it still doesn't work

loidy avatar Oct 31 '22 15:10 loidy

@loidy Ok, please add --log.level=DEBUG to other command arguments here https://github.com/opencv/cvat/blob/develop/docker-compose.yml#L162, restart with docker compose up -d and try to upload file. Atfter dump logs with docker logs traefik > traefik.log and attach here.

azhavoro avatar Oct 31 '22 16:10 azhavoro

My setup is CVAT deployed via the Helm in git running in AWS EKS cluster with ingress provided by Traefik and an AWS NLB that does the SSL termination. The browser error is: Mixed content: The Page at 'https://<REDACTED>/projects?page=1' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<REDACTED>/api/projects/backup/<UUID>'. This request has been blocked; the content must be served over HTTPS.

gumshoes avatar Oct 31 '22 20:10 gumshoes

Hello I found out the reason was traefik rewrite the header, if not trust the reverse proxy in front of it.

TLDR: add "- --entryPoints.web.forwardedHeaders.trustedIPs=ip_proxy/mask" to traefik in docker-compose.yml

Ref: https://github.com/traefik/traefik/issues/5551

jakiro2017 avatar Feb 03 '23 03:02 jakiro2017

I have this issue when trying to upload files as well with cvat running on https.

jevansbio avatar Jul 19 '23 10:07 jevansbio

I believe that the cause and solution have been found, the issue can be closed @jevansbio try this https://github.com/opencv/cvat/issues/4843#issuecomment-1414760683

azhavoro avatar Jul 27 '23 06:07 azhavoro

I had tried it, but it didn't work as in my case the request never actually hit traefik, the browser seemed to change it and block before it got anywhere. I fixed it by adding:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

To the header of the template.

jevansbio avatar Jul 27 '23 06:07 jevansbio

Hi, I am experiencing the same. I will try both methods and report back.

I use CloudFlare and CloudFlare tunnels to proxy to cvat.

Thanks @azhavoro for pointing me towards a fix!

baudneo avatar Oct 04 '23 21:10 baudneo

Adding CloudFlare ips to the traefik command worked for me.

- '--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22'

baudneo avatar Oct 05 '23 06:10 baudneo

This doesn't work anymore in the newest CVAT. Turns out that if you set a flag for traefik in docker-compose.yaml it disables the other settings, which CVAT now sets using environment variables. So do apply this fix in the latest CVAT, add the following line under traefik -> environment:

TRAEFIK_ENTRYPOINTS_web_FORWARDEDHEADERS_TRUSTEDIPS: <my proxy ips>

Fred-Erik avatar Apr 09 '24 09:04 Fred-Erik