Show configuration of the app server for the header? Tomcat, for example, needs custom valve to acknowledge x-forwarded headers.
On Mon, Jun 17, 2019 at 9:36 AM Kim Syväluoma <kim....@aland.net> wrote: > We have now added the X-Forwarded-Proto and X-Forwarded-For to the > requests but we still get 302 loop: > > GET /ngm/start HTTP/1.1 > Host: bo-ci.eget.fi > Connection: keep-alive > Upgrade-Insecure-Requests: 1 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 > Safari/537.36 > Accept: > > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 > Accept-Encoding: gzip, deflate, br > Accept-Language: en-US,en;q=0.9,sv;q=0.8,fi;q=0.7,lv;q=0.6,es;q=0.5 > Cookie: _ga=GA1.2.2095789035.1543389393; > AMCV_A5A139F7569D5CB57F000101%40AdobeOrg=1406116232%7CMCIDTS%7C17864%7CMCMID%7C21405024211598008102491243369473793569%7CMCAAMLH-1543994214%7C6%7CMCAAMB-1543994214%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1543396614s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C2.5.0; > > _gcl_au=1.1.558442318.1553672462; > __cfduid=d3fcfc204dc54bf4c4d94a53ee955a6581557830653; > NGM=g49j5fJxzz-XyMWzYBJ4YoebaB8rgEwPw_gG2tEjudRZqYbykvGY!-2115956942 > X-Forwarded-For: 10.5.128.233 > X-Forwarded-Proto: https > > HTTP/1.1 302 Moved Temporarily > Connection: close > Date: Mon, 17 Jun 2019 06:23:19 GMT > Transfer-Encoding: chunked > Location: https://bo-ci.eget.fi/ngm/start > > 0103 > <html><head><title>302 Moved Temporarily</title></head> > <body bgcolor="#FFFFFF"> > <p>This document you requested has moved > temporarily.</p> > <p>It's now at <a > href="https://bo-ci.eget.fi/ngm/start";>https://bo-ci.eget.fi/ngm/start > </a>.</p> > </body></html> > > 0000 > > > Any more tips? > > Br, > Kim > > > 2019-06-14 12:24 skrev Kim Syväluoma: > > Thanks for the answers. We will try adding the "X-Forwarded-Proto: > > https" header to our requests. > > > > /Kim > > > > 2019-06-14 11:34 skrev Chris Poulsen: > >> Hi, > >> > >> We use: > >> > >> // default to non-secure pages (allows us to support both http and > >> https > >> based on the request) > >> configuration.add( SymbolConstants.SECURE_ENABLED, "false" ); > >> > >> And always have an upstream proxy for performing SSL termination. This > >> relies on the X-Forward-* headers being set and handled correctly by > >> the > >> various servers. > >> > >> -- > >> Chris > >> > >> On Fri, Jun 14, 2019 at 10:06 AM Dmitry Gusev <dmitry.gu...@gmail.com> > >> wrote: > >> > >>> Hi, > >>> > >>> I'd suggest to check value of `Request#isSecure()`, it looks like > >>> it's > >>> false. > >>> > >>> It can happen if your WebSphere is behind a proxy/load balancer which > >>> terminates SSL, > >>> in this case you may need to configure WebSphere to acknowledge the > >>> x-forwarded-proto HTTP header. > >>> > >>> On Fri, Jun 14, 2019 at 9:17 AM Kim Syväluoma <kim....@aland.net> > >>> wrote: > >>> > >>> > We have a Tapestry application which we need to use over HTTPS only. > We > >>> > are using Weblogic only. > >>> > > >>> > We have these set in the AppModule of the Tapestry application: > >>> > > >>> > public static void contributeApplicationDefaults( > >>> > final MappedConfiguration<String, String> configuration) { > >>> > configuration.add("tapestry.supported-locales", "en"); > >>> > configuration.add("tapestry.start-page-name", "start"); > >>> > configuration.add(SymbolConstants.HOSTPORT_SECURE, "443"); > >>> > configuration.add(SymbolConstants.SECURE_ENABLED, "true"); > >>> > } > >>> > > >>> > public static void contributeMetaDataLocator(final > >>> > MappedConfiguration<String, String> configuration) { > >>> > configuration.add(MetaDataConstants.SECURE_PAGE, "true"); > >>> > } > >>> > > >>> > In the Start page we have a redirect like this: > >>> > > >>> > final Object onActivate() { > >>> > if (!this.sessionHandler.isLoggedIn()) { > >>> > return this.loginPage; > >>> > } > >>> > return this.mainFrameSet; > >>> > } > >>> > > >>> > We we try to access our app by HTTPS at root or directly at the start > >>> > page, loginPage or mainFrameSet page we get infinite redirect loop > (302) > >>> > to the same page we are accessing. > >>> > > >>> > If we set the MetaDataConstants.SECURE_PAGE to false we can access > our > >>> > app over HTTPS but all page requests/links within the app is then > done > >>> > over HTTP and that does not work. > >>> > We need to have all functionality within the app to work over, and > using > >>> > only, HTTPS. > >>> > > >>> > What have we missed? > >>> > > >>> > Br, > >>> > Kim > >>> > > >>> > >>> -- > >>> Dmitry Gusev > >>> > >>> AnjLab Team > >>> http://anjlab.com > >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Dmitry Gusev AnjLab Team http://anjlab.com
