Develop Reference

Fronting Tomcat with Apache for Spring MVC ERR_TOO_MANY_REDIRECTS error

I have a Spring MVC (v4.3.1) Web application running on a Tomcat server(v8.5) which is fronted by an Apache(v2.4) application server being used as a reverse proxy.
I have SSL certificate installed on Apache so that it handles all secure(:443) and non-secure (:80) incoming requests and redirects them to the Tomcat instance.
I want to handle all communication as secured (SSL) with the outside world. But inside between Apache and Tomcat, it is not necessary to communicate through the secure port. That is why Apache redirects all HTTP requests to HTTPS
I also use Spring Security (v4) to handle all user authorization/authentication work, so I have even Register/Login/Logout, etc.
My current server architecture is shown below,
After giving the summary, the problem is,
Whenever I try to access my login page, I am getting ERR_TOO_MANY_REDIRECTS error from Chrome.
Moreover, when I access Tomcat Manager (http://myapp.net:8080/manager/html) and click on my application URL (/MyApp-1.0.0) then ** I can successfully view** my login page without https. (After clicking the application link deployed on tomcat, it opens page: http://myapp.net:8080/MyApp-1.0.0/login) I believe it shows that there is no problem when my web application is running on tomcat instance. They are good together. It suspects me that my problem starts from Apache with SSL.
Apache configuration for virtual hosts:
Listen 80
Listen 443
<VirtualHost *:80>
ServerAdmin emrecaglar#gmail.com
ServerName myapp.net
ServerAlias www.myapp.net
Redirect / https://www.myapp.net/
</VirtualHost>
<VirtualHost *:443>
ServerName myapp.net
ServerAlias www.myapp.net
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/MyApp-1.0.0/
ProxyPassReverse / http://127.0.0.1:8080/MyApp-1.0.0/
SSLEngine on
SSLCertificateFile /root/WWW.myapp.NET.crt
SSLCertificateKeyFile /root/www.myapp.net.key
SSLCertificateChainFile /root/dv_chain.txt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I dont want to use rewrite rules unless it is critical. I want to handle with Redirect.
Tomcat server.xml configuration :
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" />
There is no connector defined for :8443 as I dont want Tomcat to run on a secure port. Tomcat will communicate only with Apache server.
Spring Security configuration:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/static/**").permitAll()
.antMatchers("/register*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error=true")
.defaultSuccessUrl("/view/home")
.permitAll()
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login?
logout").invalidateHttpSession(true).deleteCookies("auth_code",
"JSESSIONID").permitAll();
}
}
I have also read some posts about permitAll(), and anonymous() is different, so permitAll() might even trigger a redirect loop so for login page it should be anonymous() however I couldn't validate it. I believe it also needs additional role from spring security perspective.
My Spring Controllers:
#RequestMapping(value = "/", method = RequestMethod.GET)
public String homePage(Principal principal) {
/**
* Initialize session user if not initialized
*/
return "redirect:/view/home";
}
another:
#Controller
#RequestMapping(value = "/view")
public class ViewController
{
#RequestMapping(value = "/home")
public String getHomePage(Model model, Principal principal)
{
//some logic
return "home";
}
}
Web MVC config for login:
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
I have related view resolvers and views (home.jsp, login.jsp)
Chrome Developer console debug outputs for redirects
General
Request URL: http://www.myapp.net/MyApp-1.0.0/login
Request Method: GET
Status Code: 302 Found
Remote Address: 207.154.208.158:80
Referrer Policy: no-referrer-when-downgrade
Response Header
HTTP/1.1 302 Found
Date: Sat, 17 Nov 2018 08:40:04 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://www.myapp.net/MyApp-1.0.0/login
Content-Length: 314
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Request Header
Content-Type: text/html; charset=iso-8859-1
GET /MyApp-1.0.0/login HTTP/1.1
Host: www.myapp.net
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=8A4E001A841DBC4D55509605FF3E7E23
General
Request URL: https://www.myapp.net/MyApp-1.0.0/login
Request Method: GET
Status Code: 302
Remote Address: 207.154.208.158:443
Referrer Policy: no-referrer-when-downgrade
Response Header
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: Keep-Alive
Content-Length: 0
Date: Sat, 17 Nov 2018 08:40:04 GMT
Expires: 0
Keep-Alive: timeout=5, max=92
Location: http://www.myapp.net/MyApp-1.0.0/login
Pragma: no-cache
Server: Apache/2.4.18 (Ubuntu)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Request Header
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Cookie: JSESSIONID=8A4E001A841DBC4D55509605FF3E7E23
Host: www.myapp.net
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Requests loop between these two requests from HTTPS to HTTP and HTPPS again
Apache access.log
67.171.8.29 - - [17/Nov/2018:08:41:59 +0000] "GET /MyApp-1.0.0/login HTTP/1.1" 302 429 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
Apache error.log
[Sat Nov 17 08:37:59.376633 2018] [mpm_event:notice] [pid 20673:tid 140534533293952] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41 OpenSSL/1.0.2g configured -- resuming normal operations
[Sat Nov 17 08:37:59.376707 2018] [core:notice] [pid 20673:tid 140534533293952] AH00094: Command line: '/usr/sbin/apache2'
As you can see, i dont have any SSL related code / config for my spring mvs application and tomcat. They dont need to be aware of that as i want apache be only responsible for SSL and handling https requests and directing to Tomcat.
What i am missing here so that i am causing a redirection loop?
Thanks

Firefox websocket opening handshake

I am writing a very basic websocket server. This works in Google Chrome but not in Firefox (v46.0.1). The error message in Firefox is not very helpful either.
Firefox can't establish a connection to the server at
ws://localhost:9000/.
This is the Opening handshake from firefox.
GET / HTTP/1.1
Host: localhost:9000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Sec-WebSocket-Version: 13
Origin: null
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: ZfChFbbco7cR0jrAliH+LQ==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
This is my server's opening handshake response.
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Accept: <accept-key>
Is the server's opening response not enough for Firefox?

Crossbar caddy reverse proxy

How could I set a reverse proxy with caddy that speak with a crossbar router?
I have a docker with a crossbar router that listen on localhost 8080, and I use caddy as a reverse proxy.
Below the Caddyfile:
`0.0.0.0:80
proxy /ws localhost:8080{
proxy_header Connection {>Connection}
proxy_heade Upgrade {>Upgrade}
}
header /ws {
Upgrade "WebSoket"
Connection "Upgrade"
}`
'tcpflow 8080' return nothing when I try to connect.
Below the header from chrome:
RESPONSE
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Sec-Websocket-Accept: r/PdCQJibmcb5XrfVbnSXJMuf9g=
Sec-Websocket-Protocol: wamp.2.json
Server: Caddy
Server: Crossbar/0.11.1
Upgrade: WebSocket
X-Powered-By: AutobahnPython/0.10.9
Date: Tue, 09 Feb 2016 14:12:04 GMT
REQUEST
GET ws://78.46.244.23/ws HTTP/1.1
Host: 78.46.244.23
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: chrome://newtab
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTM
like Gecko) Chrome/48.0.2564.103 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Sec-WebSocket-Key: OaEUxWnqjZWyfLypeYxeXw==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Protocol: wamp.2.json
Below the frame:
[1,"realm1",{"roles":{"caller":{"features":{"caller_identification":true,"progressive_call_results":true}},"callee":{"features":{"progressive_call_results":true}},"publisher":{"features":{"subscriber_blackwhite_listing":true,"publisher_exclusion":true,"publisher_identification":true}},"subscriber":{"features":{"publisher_identification":true}}}}]
And the console error:
WebSocket connection to 'ws://78.46.244.23/ws' failed: Invalid frame header

you have a typo in your Caddyfile:
Upgrade "WebSoket"

302 Found Response for google.com

I have a Java program which forwards the HTTP request from clients to INTERNET and write back the response to client. But when clients trying Google.com from their browser i am getting 302 found Response from Internet.
Here is the Request from client :
GET http://google.com/ HTTP/1.1
Host: google.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 OPR/28.0.1750.51
DNT: 1
Accept-Encoding: gzip, deflate, lzma, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PREF=ID=0168c274e46046ff:FF=0:LD=en:TM=1427909641:LM=1428321915:GM=1:S=HGTpo1ahuPUd4Nu2; SID=DQAAAPgAAACOH1NUVCRnVJfjL-W4MtbTmqx9yY1Wbra4LM7D8_uslXU_43zD4QrZl4eHqBuukNoKFw0gD68Vt7DltSgBrOoVRufDgeLImP8321g2-IxjmtqwjJoI9sSM3YEwC5ZvnTNyrwuHhBp-zZqImsaHshVmvt8GEV1WDFHs4OZ74g219CeKYztHKjsQLDS_yZ725qsIKWjvbb_NlnO5IqktZ0Q6JXIMRPzshZQvoq7ZiwH9RfiIASpHIiFC1XDwrMZDcbONpKCke2QxZtmxSPfUHXuBx53bJOZFHUrcAJAvihBAXoFwZHUr2beVtRuLe1w8blbt6AGTy9dT9gZ9nVjeSHzK; HSID=Aso16-EnwP4siCr5Q; APISID=DIHL_mSdprkZSELD/AjGWXXsjCWUT9FEuy; NID=67=DGyWJrkoHYqgDmpEMmQVlnzZQLlwGNTxbAZ8--PQeTPlZ4SbL3AbFNP40h0NOI3ztb_6SkDTHwGJonmESsToDR6Vkmur0VST-6k34xVvQM9FQH_PaoMrK8O6kT0Avd8FIITl7G7ERJbvbwWIsCuhIwZOR2cj2r6aCmnM27A
This is the Response i got :
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.co.in/?gfe_rd=cr&ei=Uhw7Vbe6H_PI8Ae_qICIBA
Content-Length: 261
Date: Sat, 25 Apr 2015 04:47:14 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
here.
</BODY></HTML>
Is this because Google using HTTPS instead of HTTP. and it is trying to redirect the request...?
But how i should process this reply?
I send the same response to client. But no redirection is happening,
What should i do?

From the Location header in the Http Response, seems that Google detected that the call came from India and it's redirecting the call to Google India i.e. http://www.google.co.in/?gfe_rd=cr&ei=Uhw7Vbe6H_PI8Ae_qICIBA.
When you get a 302 response your client should react properly and follow the call to the Location header.

Sometimes it is an issue about ipv6 transaction against ipv4.
Try disable ipv6 in your server and reboot with:
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf

Https doesn't load some resources

I have problem using https for the website I'm working on. I'm using spring Security.
Everything work fine in http but when I use https one of my css file is not loaded, and some js file too.
My css file a liked like this
<link type="text/css" rel="stylesheet" href="common/css/gestion_donnees_ref.css>
so this is my request
GET /triWebapp/common/css/donnees_ref.css HTTP/1.1
Host: 10.24.192.169:444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/css,*/*;q=0.1
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://10.24.192.169:444/triWebapp/gestionDonneesReference
Cookie: JSESSIONID=eYvbCpcb2NNY4zvWtah3Rfhp
Connection: keep-alive
and the response
HTTP/1.1 302 Found
Date: Mon, 24 Nov 2014 15:43:08 GMT
Server: Apache
Location: http://tipi.hd.prod.me.edf.fr/triWebapp/common/css/donnees_ref.css
Content-Length: 250
Connection: close
Content-Type: text/html; charset=iso-8859-1
it seems that the conent type is wrong here but I don't know why.