Continuing this from Matrix:
The browser will prevent all requests to insecure sites (http) when you acces the frontend via https but not the api. To solve this, you must make the frontend and api available via https.
Since you’re hosting Vikunja in the “classic” wvay, you’ll need an nginx config similar to this (adopted from the example in the docs:
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml;
server {
listen 443 ssl http2;
listen [::]:443;
server_name DOMAIN.com;
ssl_certificate /opt/bitnami/nginx/conf/bitnami/certs/server.crt;
ssl_certificate_key /opt/bitnami/nginx/conf/bitnami/certs/server.key;
location / {
root /path/to/vikunja/static/frontend/files;
try_files $uri $uri/ /;
index index.html index.htm;
}
location ~* ^/(api|dav|\.well-known)/ {
proxy_pass http://localhost:3456;
client_max_body_size 20M;
}
}
I would focus on getting the reverse proxy configuration to work first so that the Vikunja frontend is available at http://YOURDOMAIN and the api is available at http://YOURDOMAIN/api/v1/info. Then focus on tls termination. It might be the easiest to use certbot for that.