Handling X-FORWARDED-PROTO header in Java web application

java apache ssl http-headers ssl-certificate
28,131

I am pretty sure you have it all figured out by now but I will add the answer nonetheless.

You can use the class org.apache.catalina.valves.RemoteIpValve in the engine tag in conf/server.xml of tomcat.

    <Valve className="org.apache.catalina.valves.RemoteIpValve"
           internalProxies="192.168.1.XXX"
           remoteIpHeader="x-forwarded-for"
           remoteIpProxiesHeader="x-forwarded-by"
           protocolHeader="x-forwarded-proto"
    />

Something to note that is very important is to set the internalProxies value. If this is not set and you are you using a non-standard network setup it could cause some issues where tomcat will not check for x-forwarded headers and it will default to "http". For security reasons I'd recommend to set it even if it works with the defaults.

Look here for more information.

Share:
28,131
Admin
Author by

Admin

Updated on April 03, 2020

Comments

  • Admin
    Admin about 4 years

    Can any one guide me in working with X-FORWARDED-PROTO header in Java web application deployed to Apache Tomcat.

    The application setup is in such a way that tomcat talks with Apache webserver, which in turn talks with Cisco Load Balancer, finally the balancer publishes the pages to the client (tomcat -> apache2 -> load balancer -> client).

    The SSL Certificate is installed in Load Balancer and it's handling HTTPS requests. My requirement is to make the application behave in such a way that it uses the X-FORWARDED-PROTO and change the pages as HTTP or HTTPS.

    Checking on the header files of my webpages I could not find the X-FORWARDED-PROTO header. I don't have access to the Load Balancer configuration either, and the IT has suggested us to use the X-FORWARDED-PROTO to differentiate between HTTP and HTTPS request.

    Is there any configuration to be done in Tomcat or Apache level so that it will return the X-FORWARDED-PROTO header? Or is it that the configuration should be handled in Load Balancer?

  • user2519801
    user2519801 almost 11 years
    If you're using Apache to proxy requests to Tomcat, you need to add this to your SSL config in Apache: RequestHeader set X-Forwarded-Proto "https"
  • Alex Dean
    Alex Dean about 10 years
  • em_bo
    em_bo over 5 years
    You said "For security reasons I'd recommend to set it even if it works with the defaults." Can you elaborate? I've been wondering if this should be set even if the proxying IP(s) are in the default allowed ranges.
  • codependent
    codependent over 5 years
    This answer is perfect. @Allan Thanks for stressing the importance of internalProxies, that was what I was missing.
  • Nux
    Nux about 4 years
    Note that you only actually need to set protocolHeader="X-Forwarded-Proto" (and maybe internalProxies depending on your setup). The rest comes with default values that should be fine in most cases. Specifically IP is already re-written (so remoteIpHeader and remoteIpProxiesHeader is not needed).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it possible to have a valid sub-subdomain with a wildcard certificate?
HTTP SSL Proxy with Java Apache HttpClient
Invalid CA certificate with self signed certificate chain
HTTPs over a proxy with apache http client
Where is the location of Keystore file in JAVA?
Java server self-signed certificate + client certificate and SSL - connection reset
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
How to disable certificate validation in java
SSL_NULL_WITH_NULL_NULL cipher suite in in Jetty logs
Where to put certificates in Tomcat, when app acts as client?