Jetty secure session cookies when behind reverse proxy using HTTP

Question

I am using a reverse proxy (Apache) in front of Jetty 6. Users connect to Apache with SSL, and Apache forwards some of the requests to Jetty over plain HTTP. I want Jetty to use secure session cookies.

One would think this would be the first thing anyone does after installing Jetty - but I'm having a hard time getting it to work.

I set up Jetty to use secure cookies as described in another stackoverflow question. However, Jetty refuses to use secure cookies - I assume it is because the connection from the reverse proxy is not SSL.

I tried to convince Jetty it is working on a request that came over SSL following a description at sonatype.com. That is, I added the following in Apache:

RequestHeader set X-Forwarded-Scheme "https"

and in /etc/jetty/jetty.xml:

<Set name="handler">
  <New id="Handlers" class="org.mortbay.jetty.handler.rewrite.RewriteHandler">
    <Set name="rules">
      <Array type="org.mortbay.jetty.handler.rewrite.Rule">
        <Item>
          <New id="forwardedHttps"
               class="org.mortbay.jetty.handler.rewrite.ForwardedSchemeHeaderRule">
            <Set name="header">X-Forwarded-Scheme</Set>
            <Set name="headerValue">https</Set>
            <Set name="scheme">https</Set>
          </New>
        </Item>
      </Array>
    </Set>

    <Set name="handler">
      <New id="Handlers" class="org.mortbay.jetty.handler.HandlerCollection">
        <Set name="handlers">
          <Array type="org.mortbay.jetty.Handler">
            <Item>
              <New id="Contexts" class="org.mortbay.jetty.handler.ContextHandlerCollection"/>
            </Item>
            <Item>
              <New id="DefaultHandler" class="org.mortbay.jetty.handler.DefaultHandler"/>
            </Item>
            <Item>
              <New id="RequestLog" class="org.mortbay.jetty.handler.RequestLogHandler"/>
            </Item>
          </Array>
        </Set>
      </New>
    </Set>
  </New>
</Set>

Still no secure cookies. Any suggestions?

Answer 1

I could not get this to work with Jetty 6. After upgrading to Jetty 9 I got it working.

I changed this in /etc/jetty.xml. It was commented out and I uncommented it:

<!-- Uncomment to enable handling of X-Forwarded- style headers -->
 <Call name="addCustomizer">
  <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
</Call>

In the reverse proxy (now nginx) proxy_set_header X-Forwarded-Proto is used to tell Jetty whether the request was http or https:

location / {
  proxy_pass http://127.0.0.1:8080;
  proxy_pass_header Server;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto $scheme;
}

Finally, in the webapp's web.xml this enables secure and http-only session cookies:

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">

  <!-- filters and other stuff here -->

  <session-config>
    <session-timeout>120</session-timeout>
    <cookie-config>
      <http-only>true</http-only>
      <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
  </session-config>

</web-app>