Chendi Xue

I am linux software engineer, currently working on Spark, Arrow, Kubernetes, Ceph, c/c++, and etc.

Lessons Learned by ajax request http from https

10 Oct 2018 » Website

I am building my jekyll blog portal recently on github, and since github is static, while I still want to add some cool features who can not be simply implemented by javascript inside browser, I came up this thought, can I ajax to my amazon EC2 virtual machine to handle some dynamic requests?

And I have this image in my mind. From-Ajax-HTTP-From-HTTPS

Then let’s consider this idea for a bit:

Exists Conditions:

  • github is now using https protocol for hosting page site, which means my browser is a https client.
  • It’s easy to host a http server on EC2.

[IDEA 1]

Then I came up with a very naive idea, Is it possible to ajax to a http website from https client?

The answer is NO! Because to request http site data from https downgraded this https website’s security level. Reference

A live example, press to test

function get_subscribe_status () {
		url: "",
		type: 'get',
		dataType: 'text'
	}).done(function(data) {


[IDEA 2]

Ok, but since this is my own website, how about I simply downgraded my github site to http?

The Answer is also NO!! GITHUB OFFICIAL HELP

HTTPS enforcement is required for GitHub Pages sites using a domain that were created after June 15, 2016. If you created your GitHub Pages site before June 15, 2016, you can manually enable HTTPS enforcement.

I closed my github pages and re-open in 2018… Hum… So I can’t downgrade it… [Sad Face]

[IDEA 3]

Hum, but I can upgrade my EC2 site to provide HTTPS!! How about that?

The Answer is YES to someone but NO to me….

Firstly, it is possible to lauch a HTTPS server by you own. All you need to do is to use openssl to create a private key, then public key and use the key to assign a certificate.

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 

And then provide this key to your web server process.

But, a self-assigned key is just like a self-assigned job title, no one believes you since the title is not authorized. browser server talk

So, if I hosting a https website with a self-assigned certificate, Browser will try to warn visitors and even worse, if I browser such a site with my iphone, safari simply declined with no asking…

And in order to have an AUTHORIZED SSL Certificate, I need a domain name which is under my own control.

Since I registered a free-trial amazonaws account, and I can’t have a domain name for my EC2 virtual machine. This is a NO-WAY to me.

[IDEA 4]

I gave up and went to sleep, and while laying in my bed, there is one question arised. Do I have to use http or https? Can I use a socket request? Or other protocol?

And, yes, there is another protocol called “websockets”.

But, quote by this link

When the page is accessed through HTTP, you can use WS or WSS (WebSocket secure: WS over TLS) . However, when your page is loaded through HTTPS, you can only use WSS - browsers don’t allow to “downgrade” security. You can’t use WebSockets over HTTPS, but you can use WebSockets over TLS (HTTPS is HTTP over TLS).

Alright, then how about using socket? I can’t find my reference, but seems this is a experimental feature in many browser, and I didn’t really try it…

After all, I gave up, but I think all these info I got deserved my time, so want to share my experience here.


Related Posts