You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2020/05/02 14:28:00 UTC
[jira] [Commented] (FINERACT-914) Fineract does too many HTTP
redirects if running behind HTTPS SSL Proxy
[ https://issues.apache.org/jira/browse/FINERACT-914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17097986#comment-17097986 ]
Michael Vorburger commented on FINERACT-914:
--------------------------------------------
Hm, reading the latest Spring Boot doc ยง9.3.12. about this on [https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-behind-a-proxy-server] and [https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#filters-forwarded-headers] as well as [https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-enable-https] mentions other HTTP Headers such as {{Forwarded}} and {{X-Forwarded-Host}}, {{X-Forwarded-Port}}, {{X-Forwarded-Ssl}}, and {{X-Forwarded-Prefix}} in addition to the initially mentioned {{X-Forwarded-For}} and {{X-Forwarded-Proto}}.
It seems we may have have to set some custom {{application.properties}} for this to work? This appears to depend on and over the years have changed with different Spring versions... the 1.5.16 doc mentions a server.use-forward-headers, whereas the (current) 2.2.6 mentions the {{server.forward-headers-strategy}} as well as a {{ForwardedHeaderFilter}} class. Because we, until we will finally manage to solve FINERACT-730, use a standalone Tomcat and not one Spring can embed, I suspect we'll need that filter, not the properties? .. I'll play with this and see if any of those help...
> Fineract does too many HTTP redirects if running behind HTTPS SSL Proxy
> -----------------------------------------------------------------------
>
> Key: FINERACT-914
> URL: https://issues.apache.org/jira/browse/FINERACT-914
> Project: Apache Fineract
> Issue Type: Bug
> Reporter: Michael Vorburger
> Assignee: Michael Vorburger
> Priority: Major
>
> Fineract enforces being used by an HTTPS URL (e.g. on 8443), and redirects any HTTP requests (e.g. on 8080) to HTTPS, using HTTP/1.1 302 Found. This is a good out of the box default best practice for security.
> However, in certain deployment scenarios, one wishes to use Fineract and let something else than the Tomcat running the Fineract Java code do SSL. As briefly described e.g. on https://en.wikipedia.org/wiki/TLS_termination_proxy, this is typically another web server (such as e.g. Apache or Nginx, or something like) that which is acting as SSL Proxy. In such environments, while an end-user still uses Fineract via HTTPS, Fineract must be able to handle HTTP (not HTTPS) requests received from the intermediate server without SSL and without redirecting.
> I learnt in https://github.com/alfio-event/alf.io/issues/511#issuecomment-424015471 (and https://github.com/alfio-event/alf.io/issues/632) that such TLS termination proxies for SSL offloading typically set the {{X-Forwarded-For}} and {{X-Forwarded-Proto}} HTTP headers, as documented e.g. on https://docs.spring.io/spring-boot/docs/1.5.16.RELEASE/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server.
> But this does not work in Fineract today. This can be seen e.g. when running Fineract on a Cloud Provider which offers its own SSL Termination, such as e.g. on (my) https://www.fineract.dev, which today is broken because of this problem. (It should probably also be possible to somehow locally reproduce this by installing and appropriately configuring an SSL proxy.)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)