Java 通过https提供某些URL和通过http提供rest时的无限循环
我正试图让我的spring应用程序在Nginx后面工作。SSL在nginx端终止。来自nginx的所有请求都通过8080端口发送到Tomcat。/profil/中的Url必须通过ssl安全,rest Url不应安全。我决定使用“proxy\u set\u header X-Forwarded-Proto”通知我的应用程序有关协议的信息。在应用程序方面,我创建了自定义的Java 通过https提供某些URL和通过http提供rest时的无限循环,java,spring,ssl,nginx,tomcat7,Java,Spring,Ssl,Nginx,Tomcat7,我正试图让我的spring应用程序在Nginx后面工作。SSL在nginx端终止。来自nginx的所有请求都通过8080端口发送到Tomcat。/profil/中的Url必须通过ssl安全,rest Url不应安全。我决定使用“proxy\u set\u header X-Forwarded-Proto”通知我的应用程序有关协议的信息。在应用程序方面,我创建了自定义的通道处理器,就像这里一样 问题是当我想从https://some.domain.com/profil/至主页https://som
通道处理器
,就像这里一样
问题是当我想从https://some.domain.com/profil/
至主页https://some.domain.com
,然后我得到无限循环。应该有301重定向到http://some.domain.com
。看起来我的应用程序无法跳出https。你知道怎么解决这个问题吗
编辑(添加日志控制台)
nginx配置:
# HTTPS server
#
server {
listen 443;
server_name some.domain.com;
root /srv/www/;
ssl on;
ssl_certificate /etc/nginx/ssl/server.cer;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:8080/;
}
}
server {
listen 80;
server_name some.domain.com;
root /srv/www/;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_pass http://127.0.0.1:8080/;
}
}
Tomcat server.xml
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
proxyName="some.domain.com"
redirectPort="8443"
URIEncoding="UTF-8" />
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
</Host>
</Engine>
</Service>
</Server>
LoadBalancerHack配置类
@Configuration
public class LoadBalancerHack implements BeanPostProcessor {
final static Logger LOGGER = Logger.getLogger(LoadBalancerHack.class);
@Autowired
SecureChannelProcessorHack secureChannelProcessorHack;
@Autowired
InsecureChannelProcessorHack insecureChannelProcessorHack;
@Value("#{'${behind.loadbalancer}'}")
boolean behindLoadBalancer;
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
return bean;
}
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
if (behindLoadBalancer && bean instanceof ChannelDecisionManagerImpl) {
LOGGER.info("********* Post-processing " + beanName);
((ChannelDecisionManagerImpl) bean).setChannelProcessors(newArrayList(
insecureChannelProcessorHack,
secureChannelProcessorHack
));
}
return bean;
}
}
不安全的ChannelProcessorHack类
@Component
public class InsecureChannelProcessorHack extends InsecureChannelProcessor {
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if ("https".equals(invocation.getHttpRequest().getHeader("X-Forwarded-Proto"))) {
getEntryPoint().commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
}
@Component
public class SecureChannelProcessorHack extends SecureChannelProcessor {
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if ("http".equals(invocation.getHttpRequest().getHeader("X-Forwarded-Proto"))) {
getEntryPoint().commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
}
@组件
公共类UnsecureChannelProcessorHack扩展了UnsecureChannelProcessor{
@凌驾
public void decise(FilterInvocation调用、集合配置)抛出IOException、ServletException{
for(ConfigAttribute:config){
if(支持(属性)){
if(“https”.equals(invocation.getHttpRequest().getHeader(“X-Forwarded-Proto”)){
getEntryPoint().Start(调用.getRequest(),
getResponse());
}
}
}
}
}
SecureChannelProcessorHack类
@Component
public class InsecureChannelProcessorHack extends InsecureChannelProcessor {
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if ("https".equals(invocation.getHttpRequest().getHeader("X-Forwarded-Proto"))) {
getEntryPoint().commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
}
@Component
public class SecureChannelProcessorHack extends SecureChannelProcessor {
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if ("http".equals(invocation.getHttpRequest().getHeader("X-Forwarded-Proto"))) {
getEntryPoint().commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
}
@组件
公共类SecureChannelProcessorHack扩展SecureChannelProcessor{
@凌驾
public void decise(FilterInvocation调用、集合配置)抛出IOException、ServletException{
for(ConfigAttribute:config){
if(支持(属性)){
if(“http”.equals(invocation.getHttpRequest().getHeader(“X-Forwarded-Proto”)){
getEntryPoint().Start(调用.getRequest(),
getResponse());
}
}
}
}
}
您的nginx配置正在侦听443,而您的tomcats server.xml在8443配置为https…端口80和8080也是如此。首先更改它们,@WeareBorg否不是,唯一的参考是redirectPort=“8443”
,它不是绑定到的端口,只有当需要批准的安全要求时容器将重定向到的端口。TC配置中的8080端口上只有一个HTTP服务器。好吧,我可能错了,对nginx没什么概念,我刚才看到了,所以指出…:-)我自己会考虑使用AJP(而不是HTTP)的nginx的TC,这应该更易于配置。如果需要,也可以保留HTTP。这样就不需要用额外的头传递丢失的信息。所有这些都可以工作,甚至HTTPS信息。
部分中是否需要proxyPort=“443”scheme=“HTTPS”
属性?而且。。。但是对于nginx和TC之间的内部协议,确实使用AJP而不是HTTP:)