-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support x-forwarded-host #2603
Comments
I don't know how Tomcat and Undertow handling but here is what I have done for Jetty. Note that Jetty has internal support for this.
I would be happy to be supported default by Jetty and others. Spring's +1 |
this is the same issue in different context https://jira.spring.io/browse/SPR-10110 |
I think that this really ought to be fixed in Spring Security. A fix there will benefit everyone who uses Spring Security and not just those who also use Spring Boot. @rwinch? |
@wilkinsona I had already filed an issue similar to this one last year. Please see: https://jira.spring.io/browse/SEC-2526 |
Interesting. Unless I've missed something, Tomcat's Edit - @cemo I've just noticed that your issue was about |
i filed a request for tomcat to support this header https://bz.apache.org/bugzilla/show_bug.cgi?id=57665 |
To me it seems undesirable that the logic to resolve the correct host is duplicated and throughout the various layers (HATEOAS, Framework, Security, etc) of Spring. This logic makes it difficult to maintain. Additionally, it makes it difficult to keep up with various proxy. For example HAProxy, nginx, ELB, etc support Proxy Protocol. In all honesty, I've never used Proxy Protocol so I am not certain how it impacts things with a Servlet Container. However, the fact that there are many layers of Spring performing the same logic and that there are multiple ways that logic might be performed hints to me that something is amiss. |
@rwinch There's no need to duplicate the logic. It's only in Spring Framework and Spring HATEOAS as the latter got there first. You can reuse the logic from Spring Framework by calling Making a change in Spring Security that benefits many people is surely preferable to many people duplicating the configuration of a Valve, header rewriting, etc |
@wilkinsona Thanks for pointing this out (somehow I had missed it). We could likely use this with Spring Security 4.0+, but Spring Security 3.2.x still supports Spring 3.x line which does not appear to have this functionality. I created https://jira.spring.io/browse/SEC-2898 |
Closing in favour of SEC-2898. |
@wilkinsona I'd like to reopen this ticket as this can't work without support by Tomcat itself. This can be easily demonstrated by a simple redirect: @RequestMapping("/redirect")
public String redirect() {
return "redirect:/";
}
expected location would be The situation is however even worse for a context redirect caused by this code in TomcatEmbeddedServletContainerFactory (introduced in 43ed824): context.setUseRelativeRedirects(false);
context.setMapperContextRootRedirectEnabled(true); the request won't even reach the
expected location would be |
I'm not sure I understand. @sfussenegger if this can't work without support by Tomcat itself, how will reopening this issue help?
IIRC, the code in 43ed824 simply reinstated Tomcat's default behaviour that had been changed inadvertently and was then reverted in a subsequent release. I've just looked at Tomcat 8.0.33 and |
It could of course be a new ticket instead. But the main point is that support for The context redirect is a topic of its own as it bypasses all of them as it bypasses Tomcat's The bad redirect caused by Back to As I've said, Tomcat does not support it but with a custom valve it can be added rather easily: // copied from spring-cloud/spring-cloud-netflix#1108
@Bean
public EmbeddedServletContainerCustomizer customizer() {
return (final ConfigurableEmbeddedServletContainer container) -> {
((TomcatEmbeddedServletContainerFactory) container).addContextValves(new ValveBase() {
@Override
public void invoke(final Request request, final Response response) throws IOException, ServletException {
final MessageBytes serverNameMB = request.getCoyoteRequest().serverName();
String originalServerName = null;
final String forwardedHost = request.getHeader("X-Forwarded-Host");
if (forwardedHost != null) {
originalServerName = serverNameMB.getString();
serverNameMB.setString(forwardedHost);
}
try {
getNext().invoke(request, response);
} finally {
if (forwardedHost != null) {
serverNameMB.setString(originalServerName);
}
}
}
});
};
} Personally I feel that this should be added if |
@sfussenegger's solution should look something like this if you're on Spring Boot 2
|
when running spring boot app behing a proxy
request goes to
https://example.com
then it's forwarded to spring boot app, request looks like this
When using embedded Tomat
org/springframework/boot/autoconfigure/web/ServerProperties.class
configures RemoteIpValve, that handles X-Forwarded-Proto
but X-Forwarded-Host is not handled
later when spring security handles authentication
org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.java
redirect to login form is not built incorrectly
Using the
Host: header
and X-Forwarded-Host is ignored
The text was updated successfully, but these errors were encountered: