Hi Bin > Konstantin: > Thank you very much for your reply. To answer your question > > 1. The api-lb and lb-api was a typo. > > 2. I was able to reproduce this problem with a single server behind the > load balancer. > Where http://lb-test-api:8080 was set to forward to https://lb-test-api:8443 > using vip. > On the test server, 8080 was redirect to 8443 in server.xml and modified > web.xml as described in tomcat doc. > My war file's web.xml also included <security-constraint> section. With > these settings, my Post request to http://my-test-api:8080 was automatically > redirect to https://my-test-api:8443 with no problem. The Post is a REST > webservice call so single response was received. > > Inside the access log, when post via the load balancer > 10.166.27.33 - - [19/Jan/2017:11:21:27 -0800] 8443 "GET /theacturalapicallurl > HTTP/1.1" 405 1045 > When post directly to the my-test-api:8080, the access log got recorded as > 10.20.96.62 - - [19/Jan/2017:11:28:15 -0800] 8080 "POST /theacturalapicallur > HTTP1.1l" 201 277 > > 3. Here is my setup > > --------(load balancer) ----------------(my-test-api) > > > This looks to me like Tomcat is performing the POST Redirect GET when there > is a proxy and the call was redirected to prevent the server from MITM > attack. > > Hopefully this clarifies my question, > > Thank you very much, > > Bin >
I wonder if the redirect will use a 301 or 302 and that per default results in a GET. How is this implemented in the loadbalancer? As I read a 307 should preserve the request method. From: http://stackoverflow.com/questions/13628831/apache-301-redirect-and-preserving-post-data If you want to enforce the redirect to https, you should however consider a different approach. If it is necessary to protect the data, no POST should ever go to http/port 8080, as the data will be open in the first request. So in my opinion the calling website/application that is sending the data to 8080 should be modified in the first place. Best regards Peter > -----Original Message----- > From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > Sent: Wednesday, January 18, 2017 11:43 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: https redirect failed for POST request when behind a load > balancer > > 1. You know that "api-lb" and "lb-api" above are two different host names? > > 2. What HTTP response code is send to client to perform the redirection? > (What is displayed by access log? Or by "network" monitoring tool in browser. > What are actual responses to perform the redirection). > > Some response codes used for redirects allow the browser to change POST to > GET, some do not. See the HTTP protocol specification for details. > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_tomcat_Specifications&d=DwIFaQ&c=uilaK90D4TOVoH58JNXRgQ&r=T34XNMuHs99f3YkStEdBgUp9XTcpTRir8U9GVk2H5hQ&m=g9XvhdAG4g80Ajw7i4CvF3kysWtESxDF6NFX8j630c8&s=mOjl8_uOfuo3lfn8xDS6jwCZao9az7SjXLxgAh-2Twc&e= > > > Is redirect performed by a single response, or there are several redirect > responses in a chain, A -> B -> C/ ? > > 3. Actual configuration? > > (For someone else to reproduce the issue or to match your tale to their > configs). > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
