Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I force HTTPS for a Spring Boot app on Heroku?

Tags:

https

ssl

heroku

spring-boot

I tried using FORCE_HTTPS=true and SECURITY_REQUIRE_SSL=true as config variables, but neither works. I know that the former is supported by Cloud Foundry, but I've confirmed with Heroku that they do not support it. The SECURITY_REQUIRE_SSL property is supported by Spring Boot, but maybe only for basic auth?

like image 421
Matt Raible Avatar asked Dec 04 '22 21:12

Matt Raible

1 Answers

I was able to fix this by creating an HttpEnforcer filter:

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class HttpsEnforcer implements Filter {

    private FilterConfig filterConfig;

    public static final String X_FORWARDED_PROTO = "x-forwarded-proto";

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
                         FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;

        if (request.getHeader(X_FORWARDED_PROTO) != null) {
            if (request.getHeader(X_FORWARDED_PROTO).indexOf("https") != 0) {
                String pathInfo = (request.getPathInfo() != null) ? request.getPathInfo() : "";
                response.sendRedirect("https://" + request.getServerName() + pathInfo);
                return;
            }
        }

        filterChain.doFilter(request, response);
    }

    @Override
    public void destroy() {
        // nothing
    }
}

And registering it in an existing @Configuration class.

@Bean
public Filter httpsEnforcerFilter(){
    return new HttpsEnforcer();
}

This is different from the solution I posted in the comments above because of the null check for pathInfo. Without this, it still works, but the Location does show up with null at the end.

$ curl -i http://www.21-points.com
HTTP/1.1 302 Found
Server: Cowboy
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Xss-Protection: 1; mode=block
Pragma: no-cache
Location: https://www.21-points.comnull
Date: Tue, 31 Oct 2017 14:33:26 GMT
X-Content-Type-Options: nosniff
Content-Length: 0
Via: 1.1 vegur
like image 120
Matt Raible Avatar answered Jan 04 '23 11:01

Matt Raible
Sign in to Comment

Related questions

Phpmailer using smtp with Gmail not working - connection timing out
How to config local Jetty ssl to avoid weak phermeral DH key error?
How to extract x509 in python
Git stopped working over SSL on Windows
How to know if an Azure Server is under TLS 1.2
SSL Certificate for multiple servers
javax.net.ssl.SSLException: hostname in certificate didn't match in Android
Java 6 ECDHE Cipher Suite Support
Jetty WebSocketClientSelectorManager - Connection Failed java.io.IOException: Cannot init SSL
MariaDB over SSL not working, "certificate verify failed"
adding AWS public certificate with NGINX
Is it OK to design and test a secure web app without SSL?
Wordpress Update problemDownload failed.: SSL certificate
What version of TLS is used in a .NET application installed on different operating systems
sequelize secure connection for azure mysql
Openssl TLS extension support configuration (Server Name Indication)
Does buildout/easy_install/setup_tools verify SSL certificates?
How can I test a URL is SSL secured
Okhttp3 - Accept all certificates and use a certificatePinner
How to use a CA (like curl's --cacert) with HTTPie

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!