Pivotal CloudFoundry: Enforcing HTTPS (SSL)
I want to enforce HTTPS for a Spring Boot application to be hosted at Pivotal CloudFoundry, and I think most of the applications would want this today. The common way of doi
-
Normally, when you push a WAR file to Cloud Foundry, the Java build pack will take that and deploy it to Tomcat. This works great because the Java build pack can configure Tomcat for you and automatically include a RemoteIpValve, which is what takes the x-forwarded-* headers and reconfigures your request object.
If you're using Spring Boot and pushing as a JAR file, you'll have an embed Tomcat in your application. Because Tomcat is embedded in your app, the Java build pack cannot configure it for the environment (i.e. it cannot configure the RemoteIpValve). This means you need to configure it. Instructions for doing that with Spring Boot can be found here.
If you're deploying an web application as a JAR file but using a different framework or embedded container, you'll need to look up the docs for your framework / container and see if it has automatic handling of the x-forwarded-* headers. If not, you'll need to manually handle that, like the other answers suggest.
讨论(0) -
Requests forwarded by the load balancer will have an http header called
x-forwarded-protoset tohttpsorhttp. You can use this to affect the behavior of your application with regard to SSL termination.讨论(0) -
You need to check the
x-forwarded-protoheader. Here is a method to do this.public boolean isSecure (HttpServletRequest request) { String protocol = request.getHeader("x-forwarded-proto"); if (protocol == null) { return false; } else if (protocol.equals("https")) { return true; } else { return false; } }Additionally, I have created an example servlet that does this as well. https://hub.jazz.net/git/jsloyer/sslcheck
git clone https://hub.jazz.net/git/jsloyer/sslcheckThe app is running live at http://sslcheck.mybluemix.net and https://sslcheck.mybluemix.net.
讨论(0)
加载中...
- 热议问题