You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2020/05/02 22:06:00 UTC

[jira] [Updated] (FINERACT-914) Fineract does too many HTTP redirects if running behind HTTPS SSL Proxy

     [ https://issues.apache.org/jira/browse/FINERACT-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Vorburger updated FINERACT-914:
---------------------------------------
    Fix Version/s: 1.4.0

> Fineract does too many HTTP redirects if running behind HTTPS SSL Proxy
> -----------------------------------------------------------------------
>
>                 Key: FINERACT-914
>                 URL: https://issues.apache.org/jira/browse/FINERACT-914
>             Project: Apache Fineract
>          Issue Type: Bug
>            Reporter: Michael Vorburger
>            Assignee: Michael Vorburger
>            Priority: Major
>             Fix For: 1.4.0
>
>
> Fineract enforces being used by an HTTPS URL (e.g. on 8443), and redirects any HTTP requests (e.g. on 8080) to HTTPS, using HTTP/1.1 302 Found. This is a good out of the box default best practice for security. 
> However, in certain deployment scenarios, one wishes to use Fineract and let something else than the Tomcat running the Fineract Java code do SSL. As briefly described e.g. on https://en.wikipedia.org/wiki/TLS_termination_proxy, this is typically another web server (such as e.g. Apache or Nginx, or something like) that which is acting as SSL Proxy. In such environments, while an end-user still uses Fineract via HTTPS, Fineract must be able to handle HTTP (not HTTPS) requests received from the intermediate server without SSL and without redirecting. 
> I learnt in https://github.com/alfio-event/alf.io/issues/511#issuecomment-424015471 (and https://github.com/alfio-event/alf.io/issues/632) that such TLS termination proxies for SSL offloading typically set the {{X-Forwarded-For}} and {{X-Forwarded-Proto}} HTTP headers, as documented e.g. on https://docs.spring.io/spring-boot/docs/1.5.16.RELEASE/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server.
> But this does not work in Fineract today. This can be seen e.g. when running Fineract on a Cloud Provider which offers its own SSL Termination, such as e.g. on (my) https://www.fineract.dev, which today is broken because of this problem. (It should probably also be possible to somehow locally reproduce this by installing and appropriately configuring an SSL proxy.)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)