Jetty

The scheme is not forwarded when the matching connector is configured with "forwarded=true".

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.11
  • Fix Version/s: 7.0.0pre3, 6.1.12rc1
  • Component/s: HTTP
  • Labels:
    None
  • Environment:
    Windows Vista, JDK 6 Update 6
  • Patch Submitted:
    Yes
  • Number of attachments :
    2

Description

The scheme is not set when the "forwarded" parameter is set to true. The 'hostAddress' can not contain the scheme information. For example, let us assume that there is a Front Server (reachable from outside via HTTPS) at front of Jetty running on another secured machine. If the Jetty is accessed via HTTP then there is no simple way to "forward" the scheme, too.

The workaround is to write another rewrite handler rule. The attachment contains such an implementation. The configuration of this handler is very easy. The following XML snippet demonstrates its usage:

<!-- Forward the scheme. -->
<Call name="addRule">
<Arg>
<New class="org.mortbay.jetty.handler.rewrite.SchemePatternRule"/>
<Set name="pattern">/*</Set>
<Set name="scheme">https</Set>
</New>
</Arg>
</Call>

  1. File
    schemeheaderrule.diff
    15/Jul/08 5:54 AM
    12 kB
    Athena Yao
  2. Java Source File
    SchemePatternRule.java
    01/Jul/08 12:19 PM
    1 kB
    Ervin Varga

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Athena Yao added a comment -

Any thoughts on using an X-Forwarded-$x header?

One thing I see against my suggestion is that there doesn't seem to be a de-facto standard for this, unlike X-Forwarded-For, etc. Apache uses X-Forwarded-Ssl; Mongrel uses X-Forwarded-Proto. On the other hand, it would be consistent with how other forwarded information (X-Forwarded-Host/For/Server) is set on the request (in AbstractConnector)

Show
Athena Yao added a comment - Any thoughts on using an X-Forwarded-$x header? One thing I see against my suggestion is that there doesn't seem to be a de-facto standard for this, unlike X-Forwarded-For, etc. Apache uses X-Forwarded-Ssl; Mongrel uses X-Forwarded-Proto. On the other hand, it would be consistent with how other forwarded information (X-Forwarded-Host/For/Server) is set on the request (in AbstractConnector)
Hide
Permalink
Athena Yao added a comment -

Ervin,

I've adapted the class you wrote to match against header values from the forwarded request, instead of request paths. (The front-end server would have to set a custom header in order to let Jetty know the forwarded scheme)

Sample usage:

<Call name="addRule">
<Arg>
<New class="org.mortbay.jetty.handler.rewrite.SchemeHeaderRule"/>
<Set name="header">X-Forwarded-Scheme</Set>
<Set name="headerValue">https</Set> <!-- if this is unset, any value will match against the rule -->
<Set name="scheme">https</Set>
</New>
</Arg>
</Call>

Cheers

Show
Athena Yao added a comment - Ervin, I've adapted the class you wrote to match against header values from the forwarded request, instead of request paths. (The front-end server would have to set a custom header in order to let Jetty know the forwarded scheme) Sample usage: <Call name="addRule"> <Arg> <New class="org.mortbay.jetty.handler.rewrite.SchemeHeaderRule"/> <Set name="header">X-Forwarded-Scheme</Set> <Set name="headerValue">https</Set> <!-- if this is unset, any value will match against the rule --> <Set name="scheme">https</Set> </New> </Arg> </Call> Cheers
Hide
Permalink
Ervin Varga added a comment -

Thanks!

I think it is much better now.

Cheers, Ervin

Show
Ervin Varga added a comment - Thanks! I think it is much better now. Cheers, Ervin
Hide
Permalink
Rob Moore added a comment -

I'm using this rule but it appears that the HttpServletRequest.isSecure() method returns false even though HttpServletRequest.getScheme() returns https. Is this by design?

Show
Rob Moore added a comment - I'm using this rule but it appears that the HttpServletRequest.isSecure() method returns false even though HttpServletRequest.getScheme() returns https. Is this by design?
Hide
Permalink
Ervin Varga added a comment -

This is a valid comment, and you're right, getScheme() and isSecure() should be in sync. If you would like to have a more sophisticated processing of HTTP requests, which takes into account XFF stuff, please, consider using XForwardedFilter (see http://code.google.com/p/xebia-france/wiki/XForwardedFilter).

Of course, it would be good to have all this integrated into some future edition of Jetty.

Show
Ervin Varga added a comment - This is a valid comment, and you're right, getScheme() and isSecure() should be in sync. If you would like to have a more sophisticated processing of HTTP requests, which takes into account XFF stuff, please, consider using XForwardedFilter (see http://code.google.com/p/xebia-france/wiki/XForwardedFilter ). Of course, it would be good to have all this integrated into some future edition of Jetty.

People

  • Assignee:
    Athena Yao
    Reporter:
    Ervin Varga
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: