Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Solr admin UI redirecting root path requests to http instead of https
Shawn,

I think you may have a solution now, but I'll just answer any outstanding questions just in case.

To turn on relative redirects, you need to set the property `jetty.httpConfig.relativeRedirectAllowed=true`, which can be done on the command line or better yet in the server.ini file.

The example you sent without a proxy is exactly correct behaviour as the Host header sent is used for the non relative redirection.  As you have discovered, either the Host header must be the original from the client OR the ForwardedRequestCustomizer must be used to pass over the same information.

So I think it is worthwhile to correctly configure your proxy anyway, as that reduces the possibility of anything else leaking your internal IP addresses..... and then configure relative redirects anyway so you have defence in depth.

cheers

 

On Wed, 25 May 2022 at 02:31, Shawn Heisey <eclipse@xxxxxxxxxxxx> wrote:
On 5/24/22 02:03, Greg Wilkins wrote:
> To say more, we'd need to see the headers of the request arriving at
> the proxy and then arriving at jetty.... but my money is on their
> proxy being configured to rewrite the host header.

I was able to duplicate the issue, and I did not have haproxy configured
to do any kind of rewriting.

This is what I get with a verbose curl:

https://paste.elyograg.org/view/e95b70a0

This is what haproxy logged for that request, showing a 302 response:

May 24 10:01:41 - haproxy[299524] 192.168.217.199:59602
[24/May/2022:10:01:41.656] solr~ be-solr/g8981 0/0/0/1/1 302 105 - -
--NI 1/1/0/0/0 0/0 "GET https://solr.elyograg.org:8983/ HTTP/2.0"

Where would I do HttpConfiguration.setRelativeRedirectAllowed(true)? 
That looks like Java code, and Jetty is not embedded.  This is the
jetty.xml in Solr 8.x:

https://gitbox.apache.org/repos/asf?p=lucene-solr.git;a=blob_plain;f=solr/server/etc/jetty.xml;h=e2f4ab095984aac27185a9879964862f9ba35d4d;hb=refs/heads/branch_8_11

I'm still digesting Uwe's reply.  To answer his question:  The proxy is
https, Solr is http.

The relevant parts of my haproxy config can be found at the link below. 
The commented lines in the frontend are how I worked around the issue in
haproxy -- handling root path redirect in haproxy rather than letting it
through to Solr:

https://paste.elyograg.org/view/b3b413c3

Thanks,
Shawn

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Back to the top