Jetty
  1. Jetty
  2. JETTY-628

The scheme is not forwarded when the matching connector is configured with "forwarded=true".

    Details

    • Type: Improvement Improvement
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.1.11
    • Fix Version/s: 7.0.0pre3, 6.1.12rc1
    • Component/s: HTTP
    • Labels:
      None
    • Environment:
      Windows Vista, JDK 6 Update 6
    • Patch Submitted:
      Yes
    • Number of attachments :
      2

      Description

      The scheme is not set when the "forwarded" parameter is set to true. The 'hostAddress' can not contain the scheme information. For example, let us assume that there is a Front Server (reachable from outside via HTTPS) at front of Jetty running on another secured machine. If the Jetty is accessed via HTTP then there is no simple way to "forward" the scheme, too.

      The workaround is to write another rewrite handler rule. The attachment contains such an implementation. The configuration of this handler is very easy. The following XML snippet demonstrates its usage:

      <!-- Forward the scheme. -->
      <Call name="addRule">
      <Arg>
      <New class="org.mortbay.jetty.handler.rewrite.SchemePatternRule"/>
      <Set name="pattern">/*</Set>
      <Set name="scheme">https</Set>
      </New>
      </Arg>
      </Call>

      1. schemeheaderrule.diff
        12 kB
        Athena Yao
      2. SchemePatternRule.java
        1 kB
        Ervin Varga

        Activity

        Hide
        Athena Yao added a comment -

        Any thoughts on using an X-Forwarded-$x header?

        One thing I see against my suggestion is that there doesn't seem to be a de-facto standard for this, unlike X-Forwarded-For, etc. Apache uses X-Forwarded-Ssl; Mongrel uses X-Forwarded-Proto. On the other hand, it would be consistent with how other forwarded information (X-Forwarded-Host/For/Server) is set on the request (in AbstractConnector)

        Show
        Athena Yao added a comment - Any thoughts on using an X-Forwarded-$x header? One thing I see against my suggestion is that there doesn't seem to be a de-facto standard for this, unlike X-Forwarded-For, etc. Apache uses X-Forwarded-Ssl; Mongrel uses X-Forwarded-Proto. On the other hand, it would be consistent with how other forwarded information (X-Forwarded-Host/For/Server) is set on the request (in AbstractConnector)
        Hide
        Athena Yao added a comment -

        Ervin,

        I've adapted the class you wrote to match against header values from the forwarded request, instead of request paths. (The front-end server would have to set a custom header in order to let Jetty know the forwarded scheme)

        Sample usage:

        <Call name="addRule">
        <Arg>
        <New class="org.mortbay.jetty.handler.rewrite.SchemeHeaderRule"/>
        <Set name="header">X-Forwarded-Scheme</Set>
        <Set name="headerValue">https</Set> <!-- if this is unset, any value will match against the rule -->
        <Set name="scheme">https</Set>
        </New>
        </Arg>
        </Call>

        Cheers

        Show
        Athena Yao added a comment - Ervin, I've adapted the class you wrote to match against header values from the forwarded request, instead of request paths. (The front-end server would have to set a custom header in order to let Jetty know the forwarded scheme) Sample usage: <Call name="addRule"> <Arg> <New class="org.mortbay.jetty.handler.rewrite.SchemeHeaderRule"/> <Set name="header">X-Forwarded-Scheme</Set> <Set name="headerValue">https</Set> <!-- if this is unset, any value will match against the rule --> <Set name="scheme">https</Set> </New> </Arg> </Call> Cheers
        Hide
        Ervin Varga added a comment -

        Thanks!

        I think it is much better now.

        Cheers, Ervin

        Show
        Ervin Varga added a comment - Thanks! I think it is much better now. Cheers, Ervin
        Hide
        Rob Moore added a comment -

        I'm using this rule but it appears that the HttpServletRequest.isSecure() method returns false even though HttpServletRequest.getScheme() returns https. Is this by design?

        Show
        Rob Moore added a comment - I'm using this rule but it appears that the HttpServletRequest.isSecure() method returns false even though HttpServletRequest.getScheme() returns https. Is this by design?
        Hide
        Ervin Varga added a comment -

        This is a valid comment, and you're right, getScheme() and isSecure() should be in sync. If you would like to have a more sophisticated processing of HTTP requests, which takes into account XFF stuff, please, consider using XForwardedFilter (see http://code.google.com/p/xebia-france/wiki/XForwardedFilter).

        Of course, it would be good to have all this integrated into some future edition of Jetty.

        Show
        Ervin Varga added a comment - This is a valid comment, and you're right, getScheme() and isSecure() should be in sync. If you would like to have a more sophisticated processing of HTTP requests, which takes into account XFF stuff, please, consider using XForwardedFilter (see http://code.google.com/p/xebia-france/wiki/XForwardedFilter ). Of course, it would be good to have all this integrated into some future edition of Jetty.

          People

          • Assignee:
            Athena Yao
            Reporter:
            Ervin Varga
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: