Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty 12 return wrong Host header?

Hi,

I have seen the same after upgrading my project to Java 12. The problem is that all Customizers are not able to correctly set the port number.

This is a blocker issue, because it makes it impossible to setup this common setup:

  • NGINX as user facing web server with HTTPS enabled
  • NGINX forwarding the requests to jetty listen only on localhost with some arbitrary port number (in my case 8081). NGINX sets the following headers: X-Forwarded-For, X-Forwarded-Proto, original "Host" header as sent by client (no rewriting)
  • Jetty with: http_config.addCustomizer(new ForwardedRequestCustomizer());
  • Jetty 10 works fine it reads the clien't IP address and all other information from X-Forwarded-For, the scheme is read from X-Forwarded-Proto, and host header is coming from "Host" header. It also extracts the port number from the host.
  • Jetty 12 is setup in same way, it successfully extracts the client's IP address and also it returns secure=true and uses "https://" for javax.servlet.HttServletRequest#getRequestURL(). But it always adds its own private port number. I also tried to use setForcedHost("xyz:443") to make sure it sees a port number. It still constructs all URLs with port number 8081 where it listens on.

I will open a bug report. From my experience the "customize()" method in the RequestCustomizer does everything right also also returns the port number, but the javax.servlet API seems to still use the port number used by the connector's channel.

I reverted back to Jetty 10. This won't work here. If you have any suggestion to get the port corrcet, tell me, everything like subclassing and implementing my own cutsomizer did not work. I was not able to debug through everything and figure out where the listener port gets injected again.

I can say: With current status Jetty 12 is unuseable with the common proxy setup using ForwardedRequestCustomizer as it tried to always inject its own hidden/private port number instead of the default for the port as negotiated by client/proxy with the Host header.

Uwe

Am 11.08.2023 um 13:50 schrieb Silvio Bierman via jetty-users:
Additional info:

I now remember this came up in the past with the introduction of Jetty 10 (I think, could be 9) and this could be resolved with

httpConfig.addCustomizer(new HostHeaderCustomizer)

This is still in my embedding code. I have tried both with and without the customizer but the behavour is the same.



On 11-08-2023 13:34, Silvio Bierman via jetty-users wrote:
Hello all,

I have encountered what I think is a bug in Jetty 12 but I would like to check here if that is actually true.

I use port forwarding to forward HTTP requests from port 443 to 8443. Requests arrive at the default port without an explicit port number in the URL so

request.getRequestURL().toString

does not show a port number. But

request.getHeader("Host")

returns the host name including the port number. This makes it impossible to distinguish requests with explicit ports from requests without these. Jetty 11 does not show this same behaviour.

Cheers,

Silvio

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users 
-- 
Uwe Schindler
uschindler@xxxxxxxxxx 
ASF Member, Member of PMC and Committer of Apache Lucene and Apache Solr
Bremen, Germany
https://lucene.apache.org/
https://solr.apache.org/

Back to the top