Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] ForwardedRequestCustomizer and Request.recycle()

Hi all.

I'm working on some strange behaviour that we're seeing with Jetty 9.0.6
behind a reverse proxy, which sets X-Forwarded-Proto to "http" or
"https", which is picked up by the default ForwardedRequestCustomizer to
set the scheme on the Request object. So far, this is working fine,
although terminating HTTPS on the reverse proxy feels a bit dodgy.

However, we're having random and hard to reproduce problems where a
request seems to get stuck as secure, even when X-Forwarded-Proto is
"http". Correct me if I'm wrong, but it looks like this is happening:

- The Request object's secure flag is set to true when X-Forwarded-Proto
is "https".

- After the request is handled, the recycle() method is called, but in
9.0.6 the secure flag is not changed.

- The next HTTP request on the channel has X-Forwarded-Proto set to
"http", but ForwardedRequestCustomiser doesn't set the secure flag back
to false either.

Am I missing something, or should either recycle() or
ForwardedRequestCustomiser be resetting the secure flag?

  Carey Evans

Back to the top