Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Self Hosted) Annotation Download Fails Over HTTPS (but over http it works fine) #9057

Closed
osman-goni-cse opened this issue Feb 5, 2025 · 5 comments
Closed

(Self Hosted) Annotation Download Fails Over HTTPS (but over http it works fine) #9057

osman-goni-cse opened this issue Feb 5, 2025 · 5 comments
Labels
need info Need more information to investigate the issue

Comments

@osman-goni-cse
Copy link

Story
When attempting to download a dataset in my CVAT deployment, a new tab briefly opens and closes without downloading anything. The issue seems to be related to mixed content, where CVAT is running over HTTPS, but dataset download URLs are served over HTTP. Modern browsers block such downloads for security reasons.

"File not downloaded: Potential security risk.
The download is offered over HTTP even though the current document was
delivered over a secure HTTPS connection. If you proceed, the download may be
corrupted or tampered with during the download process.
You can search for an alternate download source or try again later."

In Chrome I don't even have an option to download it; it fails silently.

Expected Behavior
The dataset should download successfully over HTTPS without any browser blocking issues.

What I've Tried
Modified nginx.conf to add:
proxy_set_header X-Forwarded-Proto $scheme;
but the issue persists.
@azhavoro
Copy link
Contributor

azhavoro commented Feb 5, 2025

Please provide the exact steps to reproduce, it's not clear from the description how SSL termination is configured

@azhavoro azhavoro added the need info Need more information to investigate the issue label Feb 5, 2025
@osman-goni-cse
Copy link
Author

Please provide the exact steps to reproduce, it's not clear from the description how SSL termination is configured

To reproduce, you must deploy cvat on a self-hosted VM and use a custom domain in CVAT_HOST instead of IP. After that create a task and annotate images and export annotations. Then try to download it. In Chrome browser when you click on download it opens a new tab and closes it immediately but in Firefox it shows the above error. When I allow download, the zip file is corrupted and I can't extract the file.

But everything works fine when I change the URL scheme from https://.com to http://.com

@azhavoro
Copy link
Contributor

azhavoro commented Feb 6, 2025

But how did you configure SSL termination?

@osman-goni-cse
Copy link
Author

But how did you configure SSL termination?

I didn't configure any SSL termination. Could you please help me with how to do that?

@azhavoro
Copy link
Contributor

azhavoro commented Feb 6, 2025

Ok, if you have not configured CVAT to work over https, I guess this behavior is expected.

Letsencrypt: https://docs.cvat.ai/docs/administration/basics/installation/#deploy-secure-cvat-instance-with-https
custom certs: https://docs.cvat.ai/docs/administration/advanced/custom_certificates/

@azhavoro azhavoro closed this as completed Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need info Need more information to investigate the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@azhavoro @osman-goni-cse