hello world sample reverse proxy problem

[luvarqpp]

issue.patch.zip

Summary

I have used sample/boot/helloworld sample project behind reverse proxy and it generates wrong 302 redirection (Location header does not respect X-Forwarded-* headers from reverse proxy).

I have used settings according documentation to allow processing of X-Forwarded-* headers to work, but only with partial success.

Hostname from X-Forwarded-Host is not being used when constructing login form redirect Location header. There is some missing documentation or code/config.

Actual Behavior

➜  ~ curl -i http://localhost:8080 \
    -H 'X-Forwarded-Host: example.com' \
    -H 'X-Forwarded-Port: 443' \
    -H 'X-Forwarded-prefix: /myDevelApp' \
    -H 'X-Forwarded-proto: https'
HTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/index
Content-Language: en-US
Content-Length: 0
Date: Fri, 05 Jul 2019 06:08:28 GMT

Note Location header.

I have done some modifications (all acording spring latest documentation) to "enable behind proxy behavior".

I have modified base project located at https://github.com/spring-projects/spring-security/tree/master/samples/boot/helloworld with these changes:

1. Set server.use-forward-headers to true according https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server documentation

After this mod, only protocol has been changed according X-Forwarded-proto. i.e. response have header: Location: https://localhost/index

2. Set server.tomcat.remote-ip-heade and server.tomcat.protocol-header to X-Forwarded-Host and X-Forwarded-proto respectively. This is documented just after previous step. Sidenote, there is no prefix setting.

Header is not changed from previous attempt, i.e. header is Location: https://localhost/index.

3. Add bean ForwardedHeaderFilter instance to configuration (see diff/patch at end of this issue). It has been added as act of despair after long "google session". It was advised also in hateoas documentation and it is needed to make spring-data and rest work correctly behind proxy. Also you can have a look at issue x-forwarded-host & x-forwarded-prefix headers not working after project upgrade to Spring Boot 2.1 spring-hateoas#862

Here is some more progress, url prefix is present:

curl -i http://localhost:8080 \                                                  
    -H 'X-Forwarded-Host: example.com' \
    -H 'X-Forwarded-Port: 443' \
    -H 'X-Forwarded-prefix: /myDevelApp' \
    -H 'X-Forwarded-proto: https'
HTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Location: https://localhost/myDevelApp/index
Content-Language: en-US
Content-Length: 0
Date: Fri, 05 Jul 2019 06:52:37 GMT

You can have also a look at similar issue spring-projects/spring-boot#15046 for possible solution. Note that given solution is not in line with documentation.

Expected Behavior

Response header should be Location: https://example.com/myDevelApp/index instead of
Location: https://localhost/myDevelApp/index.

Version

Current version from repository sample, i.e. spring boot v2.2.0.M3.

Sample

To run project I have used this cmdline:
gradle clean build bootRun
Project is based on this:

mkdir issueSpringSecurityProxy
cd issueSpringSecurityProxy
git clone https://github.com/spring-projects/spring-security.git .
cd samples/boot/helloworld
git apply issue.patch
gradle clean build bootRun

issue.patch file (also as zipped atachement):

diff --git a/samples/boot/helloworld/src/main/java/org/springframework/security/samples/HelloWorldApplication.java b/samples/boot/helloworld/src/main/java/org/springframework/security/samples/HelloWorldApplication.java
index 7ffeb8607..a30621f64 100644
--- a/samples/boot/helloworld/src/main/java/org/springframework/security/samples/HelloWorldApplication.java
+++ b/samples/boot/helloworld/src/main/java/org/springframework/security/samples/HelloWorldApplication.java
@@ -17,6 +17,8 @@ package org.springframework.security.samples;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.web.filter.ForwardedHeaderFilter;
+import org.springframework.context.annotation.Bean;
 
 /**
  * @author Joe Grandja
@@ -28,5 +30,10 @@ public class HelloWorldApplication {
 		SpringApplication.run(HelloWorldApplication.class, args);
 	}
 
+	@Bean
+	ForwardedHeaderFilter forwardedHeaderFilter() {
+		return new ForwardedHeaderFilter();
+	}
+
 
-}
\ No newline at end of file
+}
diff --git a/samples/boot/helloworld/src/main/resources/application.yml b/samples/boot/helloworld/src/main/resources/application.yml
index b59d86df4..76d11a17a 100644
--- a/samples/boot/helloworld/src/main/resources/application.yml
+++ b/samples/boot/helloworld/src/main/resources/application.yml
@@ -1,5 +1,9 @@
 server:
   port: 8080
+  use-forward-headers: true
+  tomcat:
+    remote-ip-header: X-Forwarded-Host
+    protocol-header: X-Forwarded-proto
 
 logging:
   level:

[rwinch]

Thanks for creating the issue. As this is a hello world sample, we aren't attempting to handle this scenario.

[luvarqpp]

Thanks for creating the issue. As this is a hello world sample, we aren't attempting to handle this scenario.

Hello, I have not created this issue because of helloworld project is not able to run behind proxy. I have used helloworld just as codebase for start. Point of my issue is that documentation is not correct/full. Specifically after applying its suggestions to make project configured for proxy usage, it fails to work.

I have found, that problem is not documentation itself, but there is missing requirement for reverse proxy config/behavior.

As I have found out, spring project configured as I have described, does need Forwarded header with host filled in and X-Forwarded-prefix. Something like this:

curl -i http://localhost:8080 \                                     
    -H 'X-Forwarded-prefix: /myDevelApp' \
    -H 'Forwarded: for=333.333.333.333;host=example.com;proto=https'

References for nginx an Forwarded header can be found at https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ (beware of missing host parameter. You should fill it in manually)

PS: applying these configs and settings for proxy for project spring-security-oauth2login does not work. But that is another issue (probably documentation issue again).

[rwinch]

If ForwadedHeaderFilter is not working, please report it to https://github.com/spring-projects/spring-framework/issues with details on how to reproduce the issue.