[jetty-users] jetty-9 behind apache reverse proxy with SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] jetty-9 behind apache reverse proxy with SSL

From: Piotr Morgwai Kotarbinski <spam1@xxxxxxxxxx>
Date: Sun, 28 Dec 2014 05:17:33 +0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0

Hello all,
So far I've been using jetty-8 behind apache reverse proxy with SSL and
it's been working fine. I've been trying to switch to jetty-9 recently,
but I couldn't find an easy way to configure it to make use of
"X-Forwarded-Proto: https" header.
My apache virtual host config looks like this:

<VirtualHost *:443>
	SSLEngine on
(...)
	ProxyRequests Off
	ProxyVia Off
	ProxyPreserveHost On
	AllowEncodedSlashes NoDecode
	RequestHeader set X-Forwarded-Proto https
	RequestHeader set X-Forwarded-Port 443
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>
	<Location /test>
		ProxyPass http://localhost:8666/test nocanon
	</Location>
(...)
</VirtualHost>

In jetty-8 I was adding
<Set name="forwarded">true</Set>
directive to SelectChannelConnector in jetty.xml as described here:
https://wiki.eclipse.org/Jetty/Tutorial/Apache
and here:
https://wiki.eclipse.org/Jetty/Howto/Configure_mod_proxy
and it all worked fine.
setForwarded is actually a method of AbstractConnector which is a base
class for SelectChannelConnector:
http://download.eclipse.org/jetty/stable-8/apidocs/org/eclipse/jetty/server/AbstractConnector.html#setForwarded(boolean)

However in jetty-9 this method is no longer present and I couldn't find
an easy way (except for some ugly rewriting rules) to tell jetty-9 that
it should be changing scheme to the one from X-Forwarded-Proto header.
As a result some of my applications don't work anymore (for example
gerrit among others) as they think they are accessed in an insecure way
via http and try to redirect to https. I've written a very simple
servlet to demonstrate what's going on:

	protected void service(
			HttpServletRequest request,
			HttpServletResponse response)
			throws ServletException, IOException {
		ServletOutputStream output = response.getOutputStream();
		output.println("secure: " + request.isSecure());
		output.println("scheme: " + request.getScheme());
	}

in jetty-8 the result was:

secure: true
scheme: https

but now in jetty-9 I get:

secure: false
scheme: http

So my question is what is the proper way in jetty-9 to make it use
X-Forwarded-Proto header just as it used to be done in jetty-8 with <Set
name="forwarded">true</Set> directive. Using rewriting rules seems like
an ugly and unnecessary complicated hack, so I hope that there's a
better way...

Many thanks

  Morgwai

Follow-Ups:
- Re: [jetty-users] jetty-9 behind apache reverse proxy with SSL
  - From: Joakim Erdfelt

Prev by Date: [jetty-users] spring jetty prob NoSuchBeanDefinitionException: No bean named 'webappprovider' is defined
Next by Date: [jetty-users] Forwarding HTTPS requests to a secondary proxy?
Previous by thread: [jetty-users] spring jetty prob NoSuchBeanDefinitionException: No bean named 'webappprovider' is defined
Next by thread: Re: [jetty-users] jetty-9 behind apache reverse proxy with SSL
Index(es):
- Date
- Thread

Breadcrumbs