I can browse my site like http ://xxx.xxx:9080/app_name
Actually, I want to type http ://xxx.xxx/app_name, and it forward to https ://xxx.xxx:9443/app_name
Thanks in advance.
Now browse http ://xxx.xxx/app_name is ok , but I still cannot route http ://xxx.xxx/app_name to https ://xxx.xxx:9443/app_name. Now I can directly type https ://xxx.xxx:9443/app_name to browse, but I want to from http ://xxx.xxx/app_name route to https ://xxx.xxx:9443/app_name
Check this link for longer discussion Websphere: security-constraint in web.xml is not enforced, but in short you need to add the following to your web.xml to make WAS redirect to Https:
<security-constraint>
<display-name>allApp</display-name>
<web-resource-collection>
<web-resource-name>allresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
UPDATE
Update based on comment.
If you want redirection from http://xxx.xxx/app_name to https://xxx.xxx:9443/app_name you need to change default http port in WAS from 9080 to 80 in addition to web.xml changes. In that case all your apps will be available on WAS without the 9080 port e.g. http://xxx.xxx/app_name http://xxx.xxx/app_nameN.
In the web admin console go to Servers > WebSphere Application Servers > server1 , then in the right section look for Ports link. Click and change the WC_defaulthost from 9080 to 80. Save and restart the server. (make sure that 80 port is free and available before making this change).
Related
I have a spring boot application which works over http.I do not want to touch the application - so no keystore etc. I want to use reverse proxy - i.e. the request will land at some other machine over TLS and
will get redirected to my spring boot application over secure socket layer. How it could be done?
Edit: When I try to login to that site, developer tool console tells me:
"Mixed Content: The page at 'https://xxxx-uat.xxxx.com:4200/login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://151.253.73.106:9091/login'. This request has been blocked; the content must be served over HTTPS."
Nginx reverse proxy is being used.
Best way to do it is to use cloudflare. Cloudflare is free for basic use. You can create a new site, point to your HTTP URL and configure SSL as flexible. So, now your service is behind https. Cloudflare will act as proxy. Request will go to cloudflare via https, then it will be routed to your http.
INFORMATION NEEDED:
I use Keycloak (Docker version) behind a Spring project.
(The client side of this project is React and communication between client and backend is provided by REST services.)
The client side is secured and using "https" scheme.
It is my Spring configuration:
keycloak:
auth-server-url: https://sso-ssoha.b9ad.pro-us-east-1.openshiftapps.com/auth
realm: master
resource: clientname
public-client: true
THE ROOT OF THE PROBLEM:
When I click a link from client, it calls a Spring service normally.
But before that, it redirects to default login page of Keycloak with adding this path sso/login to the current "https" url but changing scheme to "http".
But, redirecting from https to http create a problem like this:
Mixed Content: The page at 'https://www.helpful.army/contents/Problem' was loaded over HTTPS, but requested an insecure resource 'http://serviceha-helpfularmy.b9ad.pro-us-east-1.openshiftapps.com/sso/login'. This request has been blocked; the content must be served over HTTPS.
it seems that we need let keycloak web server aware of we are using proxy, https://serverfault.com/questions/1000567/keycloak-blank-page-behind-nginx-reverse-proxy, after set PROXY_ADDRESS_FORWARDING variable, it works.
I have solved this problem and similar ones with these steps:
(1) Frontend side:
You know, www.helpful.army is an educational project which has an interface running on React and it is in NGINX server.
So, I appended the default NGINX server config with mandatory headers:
location / {
try_files $uri /index.html;
proxy_set_header X-Forwarded-Proto $scheme;
**add_header Access-Control-Allow-Origin *;**
}
(2) Backend side:
I have created a different client on Keycloak just for the Spring-Boot backend and set is as a "Bearer-only" one.
keycloak:
auth-server-url: https://sso-ssoha.b9ad.pro-us-east-1.openshiftapps.com/auth
realm: master
resource: serviceha
bearer-only: true
ssl-required: "external"
confidential-port: 0
verify-token-audience: true
I also add this configuration for application.yml:
server:
port: 8443
remote_ip_header: x-forwarded-for
protocol_header: x-forwarded-proto
use-forward-headers: true
(3) I have changed all ports from interface to backend as 8443
I had the same problem when I migrated to Keycloak X. Starting from Keycloak 17, there is no setting for PROXY_ADDRESS_FORWARDING.
For me setting the proxy=passthrough helped.Check https://www.keycloak.org/server/all-config for more details.
In newer version of keycloak you can configure the proxy setting with the value passthrough. In the case of docker, you want to pass the setting via the environement variable KC_PROXY=passthrough (keycloack config docs).
I'm trying to redirect all traffic hitting HTTP to HTTPS on my application. Nginx is handling generating keys and certificate signing requests.
HTTPS works perfectly when we type it in manually in the browser's address bar. So to force all HTTP requests to use HTTPS we are changing Spring configuration in various ways.
When adding the requires-channel="https" attribute to <intercept-url/> in our .xml we are getting a 302 redirect loop. We tried declaring the port mappings in a Spring config .xml as suggested in this SO answer but it made no difference to the redirect loop. HTTPS is looping on itself by looking at the network tab in chrome dev tools.
Any help/ideas are appreciated, thanks.
I have a problem with struts2 and redirect-action over https.
Basically the redirect response I get back from my https request has a non-secure location (i.e. http://...).
So that means the browser goes from a secure session to a non-secure session.
Any idea what could cause this?
Cheers,
Stuart.
The problem was not in Struts 2 although the solution posted by Umesh would also have worked.
The environment I was working in had the SSL connections terminated by a load balancer before it reached the Apache front end. This meant the AJP request to Tomcat appeared to be HTTP and the redirect URL in the response from the Struts redirect-action was written as HTTP.
The solution I chose was to write a separate connector in tomcat's server.xml for the HTTPS connections, specifying:
secure="true"
scheme="https"
proxyPort="443"
Struts 2 itself does not support SSL switching by default
If you are switching from HTTPS mode to HTTP and vice-versa my best bet is to use Struts2-ssl plugin.
This plugin will take care of the switching based on the method annotation or the configuration you have provides.
here are the details
Struts2-SSL plugin
I have a problem in request and responses in a Spring MVC application.
When I hit https://test.abc.com/AppName/security.do in a browser. response url is coming like https://test.abc.com:455/AppName/security.do
In Response Headers Content-Location: https://test.abc.com:455/AppName/security.do
Because of the port appended, application is not accessable. At what stage I can remove or redirect test.abc.com:445 to test.abc.com.
Application is hosted Oracle Server and uses Apache Webserver before that request will travel through content switch.
Thanks
Sunny
The solution is, I think, to set UseCanoncalName variable in Apache config to Off.