Resource embed through an http url 301 permanently redirected to an https one

Question

Now I have a website, running on ubuntu and nginx.

http://www.huangwenchao.com.cn

And I have just installed SSL certificate on it:

server {
    listen 80;
    server_name www.huangwenchao.com.cn huangwenchao.com.cn;
    rewrite ^/(.*)$ https://www.huangwenchao.com.cn/$1 permanent;
}

server {
    listen 443;
    root /var/www/huangwenchao;
    index index.php index.html index.htm;
    server_name www.huangwenchao.com.cn huangwenchao.com.cn;
    ssl on;
    ssl_certificate /home/ubuntu/ssl/mydomain.crt;
    ssl_certificate_key /home/ubuntu/ssl/mydomain.ssl.key;
}

That means when I request http from this domain, it was 301 pamanently redirected to https.

And In the beginning, the browser(chrome) told that the page has some insecure image, video and script, like below:

https://www.huangwenchao.com.cn/2013/11/427-3032.html

Some of the resource here is pointing to my own site, like some image with link:

http://www.huangwenchao.com.cn/wp-content/uploads/2015/01/tortoisegit-diff.jpg

in this page: https://www.huangwenchao.com.cn/2015/01/git-patch.html

---

Question

So I'm wondering:

1. What would happen when I embed a 301 redirected http resource in the page?
2. After redirected? Should the resource transferring under encryption?
3. Is it safe in this case? Or may have some other risk?

Teachers, please tell, thank you!

Answer 1

There is an "insecure content" warning if there is one or more resources loaded with HTTP, even if the resources are redirected to HTTPS. This makes sense because, if the visitor is under a man-in-the-middle attack (an attacker modifies the unencrypted resources), the attacker can send arbitrary code by changing an unencrypted (HTTP) resource like a script.

To avoid this warning, you have to make sure every resource in your page is loaded with HTTPS: scripts, style sheets, images, fonts, etc. For Wordpress, be sure you have your website address beginning with "https://" and be sure all the images you add in your posts are loaded with HTTPS.

It is a good idea to redirect all the traffic to HTTPS with a 301 redirect as you did, because you are sure all your visitors browse with HTTPS (=with encryption). But you have to be sure of the quality of the HTTPS, else some visitors could be unable to access your website.

Some side notes: you can replace the rewrite rule by return 301 https://$host$request_uri; and I got a certificate error with your website, be sure you include the intermediary certificates. You can check the quality of the HTTPS on https://www.ssllabs.com/ .