Spring boot 需要Spring引导重定向到F5 BigIP SSL代理后面的https,但在http上侦听
如何在Spring Boot应用程序的登录页面中继续侦听端口80(http),但将302重定向发送到端口443(https)。我之所以需要它,是因为我的应用程序位于F5 BigIP代理之后,该代理终止SSL证书并向我的应用程序发送http请求,目前,我看到了这种行为: 这是当前有缺陷的流程:Spring boot 需要Spring引导重定向到F5 BigIP SSL代理后面的https,但在http上侦听,spring-boot,ssl,spring-security,f5,Spring Boot,Ssl,Spring Security,F5,如何在Spring Boot应用程序的登录页面中继续侦听端口80(http),但将302重定向发送到端口443(https)。我之所以需要它,是因为我的应用程序位于F5 BigIP代理之后,该代理终止SSL证书并向我的应用程序发送http请求,目前,我看到了这种行为: 这是当前有缺陷的流程: 客户请求 F5 BigIP转换为(HTTP)myapp.example.com 我的Spring引导应用程序作为302指令重定向到(HTTP)myapp.example.com/login到客户端 客户端请
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
server.tomcat.internal-proxies=x\.x\.x\.x|x\.x\.x\.x (I tested without this parameter as well)
顺便说一句:使用http.requireChannel().anyRequest().requirescure()强制HTTPS;在这种情况下不起作用,因为我需要来自HTTP上F5 BigIp的第二个请求才能起作用,使用此设置将循环整个重定向过程
我需要将我的应用程序配置为将BigIP代理的客户端请求重定向到
因此F5 BigIP接受它
这是curl请求的结果:
curl-L-b-vk--url--verbose-vs>curl-output.txt 2>&1
STATE: INIT => CONNECT handle 0x440f160; line 1392 (connection #-5000)
* Rebuilt URL to: https://myApp.example.com/
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x440f160; line 1428 (connection #0)
* Trying XXX.XX.XX.XXX...
…
* SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x440f160; line 1596 (connection #0)
} [5 bytes data]
> GET / HTTP/1.1
> Host: myApp.example.com
> User-Agent: curl/7.58.0
> Accept: */*
…
< HTTP/1.1 302
…
< X-XSS-Protection: 1; mode=block
* Added cookie JSESSIONID="4CE1A6F2AB684C6E01774E5289AF2AC0" for domain myApp.example.com, path /, expire 0
< Set-Cookie: JSESSIONID=4CE1A6F2AB684C6E01774E5289AF2AC0;path=/;HttpOnly
****< Location: http://myApp.example.com/login <- this needs to be HTTPS****
< Date: Wed, 09 May 2018 22:30:36 GMT
…
* Connection #0 to host myApp.example.com left intact
* Issue another request to this URL: 'http://myApp.example.com/login' <- this needs to be HTTPS
* STATE: PERFORM => CONNECT handle 0x440f160; line 1949 (connection #-5000)
* Added connection 1. The cache now contains 2 members
* STATE: CONNECT => WAITRESOLVE handle 0x440f160; line 1428 (connection #1)
* Trying XXX.XX.XX.XXX...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x440f160; line 1509 (connection #1)
* connect to XXX.XX.XX.XXX port 80 failed: Connection refused
* Failed to connect to myApp.example.com port 80: Connection refused<= Not the result we want
* Closing connection 1
STATE:INIT=>connecthandle0x440f160;第1392行(连接#-5000)
*重新生成的URL到:https://myApp.example.com/
*已添加连接0。缓存现在包含1个成员
*状态:CONNECT=>WAITRESOLVE句柄0x440f160;第1428行(连接#0)
*正在尝试XXX.XX.XX.XXX。。。
…
*SSL证书验证正常。
*状态:PROTOCONNECT=>DO句柄0x440f160;第1596行(连接#0)
}[5字节数据]
>GET/HTTP/1.1
>主持人:myApp.example.com
>用户代理:curl/7.58.0
>接受:*/*
…
WAITCONNECT句柄0x440f160;第1509行(连接#1)
*连接到XXX.XX.XX.XXX端口80失败:连接被拒绝
*无法连接到myApp.example.com端口80:连接被拒绝此问题在服务器端从未得到解决。负责大IP的系统工程师更改了一些配置设置,现在,它工作起来就像他们希望它工作一样。我还没有问过大型IP配置是如何工作的。如果可能的话,当我发现的时候,我会发布一些东西 你说你想做一个HTTPS重定向,然后在第3步你写道:“我的Spring引导应用程序重定向到(http)myapp.example.com/login,作为302指令发送到客户端”。那么,您的应用程序是否在302重定向的位置头中放置了HTTPS或HTTP链接?您没有显示生成重定向的代码部分。你需要修复那里的URL。谢谢你这么快回来。我在问题中添加了这个片段。这(我不使用SpringBoot)真的会生成带有位置头的302HTTP重定向吗?它看起来不像,但再一次,我不使用Spring Boot。是的,它使用了,你可以在curl跟踪中看到它。是的,但是代码对我来说不是很清楚(同样,不是Spring Boot的用户)。因此,重定向本身似乎是由您的框架完成的,而不是由您自己完成的,因此您可能需要了解更多关于框架的信息,以说服它这样做,或者做一些能够覆盖它的事情。
STATE: INIT => CONNECT handle 0x440f160; line 1392 (connection #-5000)
* Rebuilt URL to: https://myApp.example.com/
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x440f160; line 1428 (connection #0)
* Trying XXX.XX.XX.XXX...
…
* SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x440f160; line 1596 (connection #0)
} [5 bytes data]
> GET / HTTP/1.1
> Host: myApp.example.com
> User-Agent: curl/7.58.0
> Accept: */*
…
< HTTP/1.1 302
…
< X-XSS-Protection: 1; mode=block
* Added cookie JSESSIONID="4CE1A6F2AB684C6E01774E5289AF2AC0" for domain myApp.example.com, path /, expire 0
< Set-Cookie: JSESSIONID=4CE1A6F2AB684C6E01774E5289AF2AC0;path=/;HttpOnly
****< Location: http://myApp.example.com/login <- this needs to be HTTPS****
< Date: Wed, 09 May 2018 22:30:36 GMT
…
* Connection #0 to host myApp.example.com left intact
* Issue another request to this URL: 'http://myApp.example.com/login' <- this needs to be HTTPS
* STATE: PERFORM => CONNECT handle 0x440f160; line 1949 (connection #-5000)
* Added connection 1. The cache now contains 2 members
* STATE: CONNECT => WAITRESOLVE handle 0x440f160; line 1428 (connection #1)
* Trying XXX.XX.XX.XXX...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x440f160; line 1509 (connection #1)
* connect to XXX.XX.XX.XXX port 80 failed: Connection refused
* Failed to connect to myApp.example.com port 80: Connection refused<= Not the result we want
* Closing connection 1