[lawl]

> I can, because I just converted a site to https, which had a combination of relative and absolute href and src parameters on it in a confused manner. This was combined with html embedded in table records.

Just add an upgrade-insecure-requests header to your webserver config, boom. No search and replacing needed.

https://www.w3.org/TR/upgrade-insecure-requests/

It's been added for exactly your usecase:

> Most notably, mixed content checking [MIX] has the potential to cause real headache for administrators tasked with moving substantial amounts of legacy content onto HTTPS. In particular, going through old content and rewriting resource URLs manually is a huge undertaking.

I mean, uh sure, I'll volunteer to move your sites to https, but I don't think giving a random dude on the internet root access to fix the webserver config is a good idea ;-)

[ozfive]

This site also had mixed content due to it using a forward proxy with ARR in IIS. Since ARR doesn't forward https requests it is truly turning into a mess. There isn't an option to just move it to another webserver as that would be it's own undertaking with the dynamic part of the site being ColdFusion.

> I mean, uh sure, I'll volunteer to move your sites to https, but I don't think giving a random dude on the internet root access to fix the webserver config is a good idea ;-)

In this point yeah I agree you don't want to let just random dudes have root access to a site. On the other hand I run my own legitimate consulting business and if you think about it. Every time I am winning over a new client for all intents and purposes I am just a random dude. :)

[lawl]

You can always just put an nginx in front of it to terminate TLS there. Sounds like a legacy mess nobody intends to maintain anymore anyways. Or hell, cloudflare them. Kinda pointless since you won't have TLS to the backend server, but the easiest "solution". I maintain that's it's possible to inject a header and terminate TLS however messy the system is within an hour.