Cannot upload annotation - Content must be served over HTTPS

[hyfung]

My actions before raising this issue

• Read/searched the docs
• Searched past issues

Same issue in
#6078

Steps to Reproduce (for bugs)

• I have an annotation XML that I wish to upload
• Refer to bottom for console logs

Expected Behaviour

• Expect the upload to be targeting HTTPS instead of HTTP

Current Behaviour

Mixed Content Error, upload failure

Possible Solution

CVAT shouldve send PATCH to HTTPS instead of HTTP endpoint

Context

Your Environment

• Git hash commit (git log -1):

commit 520d219f3ef1e39b08c8ce0d5da6f4e4f54c2f79 (HEAD -> develop, origin/develop, origin/HEAD)
Author: Andrey Zhavoronkov <andrey@cvat.ai>
Date:   Fri Jun 2 18:40:28 2023 +0300

    Updated CHANGELOG for v2.5.0 (#6234)

• Docker version docker version (e.g. Docker 17.0.05):

Client: Docker Engine - Community
 Version:           24.0.2
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        cb74dfc
 Built:             Thu May 25 21:51:00 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.2
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       659604f
  Built:            Thu May 25 21:51:00 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

• Are you using Docker Swarm or Kubernetes? No
• Operating System and version (e.g. Linux, Windows, MacOS): Ubuntu 22.04
• Code example or link to GitHub repo or gist to reproduce problem:
• Other diagnostic information / logs:

Mixed Content: The page at 'https://cvat.XXXXXXXXx.com/tasks?page=1' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://cvat.XXXXXXXXx.com/api/tasks/1234/annotations/1xxxxxxxxxd26'. This content should also be served over HTTPS.

Access to XMLHttpRequest at 'http://cvat.xxxxxxxxxx.com/api/tasks/1234/annotations/13xxxxxxxxxx5a-85848bd4dd26' from origin 'https://cvat.xxxxxxxxxxxx.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

[azhavoro]

#6201 (comment)

[hyfung]

@azhavoro We are not using AWS ALB
Everything is stock on CVAT, we enabled Traefik (from CVAT) to act as our proxy
But let me try to enable the proxy forward as stated in 6201

[hyfung]

Added these lines in the docker-compose.https.yml and hope it works

services:
  cvat_server:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
      - traefik.http.routers.cvat.tls.certresolver=lets-encrypt
      - traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
      - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt
      - traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https

[hyfung]

The problem is CVAT is trying to upload annotation to an endpoint without HTTPS and it was blocked by the browser

It is something CVAT should fix, when HTTPS is enabled on server,

[azhavoro]

The problem appeared in CVAT itself only in version 2.4.6, you are using an older version which is not affected.
Traefik sets the header by default https://doc.traefik.io/traefik/getting-started/faq/#what-are-the-forwarded-headers-when-proxying-http-requests, you don't need to do this explicetly.
I see only 2 possibilities:

• you are using a reverse proxy between a browser and traefik which doesn't set this header
• you are using the 2.4.6 release (for v2.4.6, please wait when the fix is merged Fixed x-forwarded-proto header (No need to set the header explicitly, as it is set by Traefik). #6308)