Details
-
New Feature
-
Status: Closed
-
Major
-
Resolution: Fixed
-
http-2.2.0
-
None
Description
Problem: A an OSGi based application (e.g. an Apache Sling instance) operates behind an HTTP Proxy. Clients contact the proxy with HTTPS (SSL) while the proxy contacts the application over plain HTTP. The information that the client is using HTTPS/SSL is lost along the way.
From the POV of the application all requests are not secured since the ServletRequest.isSecure() method always returns false.
This creates some trouble particularly when sending absolute links (including the scheme) or redirects back to the client. Another issue is cookies which should be set to "secure" if the client is using HTTPS.
The general concept is as follows:
(1) The proxy is configured to set a request header when being the SSL endpoint (talking SSL to clients and talking plain HTTP to application) for the application to act as if handling a secure request:
(1a) X-Forwarded-SSL: on (see Making HTTPS Redirects Work With a Reverse Proxy at http://www.turbogears.org/1.0/docs/Install/RedirectHttpsRequests.html)
(1b) Optionally set other headers to provide the cipher_suite, key_size, and ssl_session_id. If the proxy is not able to derive these values from, the information just cannot be provided, which is not problematic
(2) A servlet filter is implemented to act upon the headers provided by the proxy, creating a request wrapper as follows:
(2a) overwrite ServletRequest.getScheme, ServletRequest.isSecure, HttpServletRequest.getRequestURL to indicate HTTPS
(2b) Set the request attributes defined by the Servlet API spec if the respective information is available from the dispatcher. Otherwise the attributes remain undefined
This issue is about implementing the second part as a servlet filter to support a proxy configured as described in the first part.
Attachments
Issue Links
- is related to
-
FELIX-4196 If proxy or SSL Offloader already sends https urls the SSLFilter wil created a httpss URL
-
- Closed
-