You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Ian Boston (JIRA)" <ji...@apache.org> on 2014/05/02 10:08:14 UTC

[jira] [Commented] (FELIX-4330) [HTTP SSL Filter] Make SSL header(s) configurable

    [ https://issues.apache.org/jira/browse/FELIX-4330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13987483#comment-13987483 ] 

Ian Boston commented on FELIX-4330:
-----------------------------------

lgtm, except, imho it would be better to support the major SSL terminations by default so that for 80% of those deploying it works out the box and they don't have to debug, read the docs or find this jira issue.

I think that list should include
mod_ssl
AWS ELB
nginX

The real problem with AWS ELB is that there is that its not possible to configure what the headers are. They are hard coded and the only interface is a web page/web service. Most others (including mod_ssl and nginX)  there is a "set request header" directive of some form. TBH, its possible to work round this by putting a HAProxy behind the ELB SSL termination.

> [HTTP SSL Filter] Make SSL header(s) configurable
> -------------------------------------------------
>
>                 Key: FELIX-4330
>                 URL: https://issues.apache.org/jira/browse/FELIX-4330
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.2.1
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>         Attachments: FELIX-4330-fme.patch, FELIX-4330.patch
>
>
> The request header indicating a proxy terminating an HTTPS connection is currently hard coded to be "X-Forwarded-SSL" with the only value supported to be "on" -- based on the assumption of this being the most commonly used header value.
> It looks that Amazon's Elastice Load Balancer uses a different header and value: X-Forwarded-Proto whose value is the actual protocol by which the client talks to the load balancer. The filter should kick in if the protocol is https (or maybe if it is just not the same as the one which the servlet container reports).
> [1] http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-proto



--
This message was sent by Atlassian JIRA
(v6.2#6252)