Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Boot with embedded Tomcat behind Apache proxy

We have a Spring Boot (Spring MVC) app with embedded Tomcat on a dedicated appserver behind an Apache SSL proxy.

The SSL port on the proxy server is 4433, forwarding to port 8080 on the appserver.

So the URL to the proxy server is forwarding like:

https://proxyserver:4433/appname   >>forward>>   http://appserver:8080/

When running WITHOUT proxy, the first thing that happens is that
Spring Security redirects the request, like:

http://appserver:8080/   >>redirect>>   http://appserver:8080/login

to display the login form, by extending WebSecurityConfigurerAdapter with

  ...
  httpSecurity.formLogin().loginPage("/login") ...
  ...

It works fine without the proxy, but WITH proxy the redirect needs to be changed,
so Spring should instead redirect to the corresponding proxy URL, like:

http://appserver:8080/   >>redirect>>   https://proxyserver:4433/appname/login

but no success yet.

I am trying to apply this solution: 59.8 Use Tomcat behind a front-end proxy server

We have configured mod_proxy in Apache, and verified that it sends the expected headers:

X-Forwarded-For: xxx.xxx.xxx.xxx
X-Forwarded-Host: proxyserver
X-Forwarded-Port: 4433
X-Forwarded-Proto: https

The application is started with parameters:

export ARG1='-Dserver.tomcat.protocol-header=x-forwarded-proto' 
export ARG2='-Dserver.tomcat.remote-ip-header=x-forwarded-for'
java $ARG1 $ARG2 -jar webapp.jar

Still the redirect does not work.

It will keep redirecting locally, to http://appserver:8080/login which is not available to the clients.

Is there anything else we need to do to make this scenario work?


UPDATE

Also, I am concerned about the "/appname" part in the proxy URL. On the appserver the application is rooted at "/". How should Spring be instructed that "/appname" should be included in all URLs sent back to the clients, when going thru the proxy?

like image 801
Rop Avatar asked Aug 22 '14 21:08

Rop


People also ask

Can we configure embedded tomcat server in spring boot?

We can start Spring boot applications in an embedded tomcat container that comes with some pre-configured default behavior via a properties file. In this post, we will learn to modify the default tomcat configurations via overriding respective properties in application.

Does spring boot contains embedded tomcat?

Many Spring Boot starters include default embedded containers. For servlet stack applications, the spring-boot-starter-web includes Tomcat by including spring-boot-starter-tomcat , but you can use spring-boot-starter-jetty or spring-boot-starter-undertow instead.

Which version of tomcat is embedded in spring boot?

Tomcat 7 & 8.0 work with Spring Boot, but the default is to use Tomcat 8.5. If you cannot use Tomcat 8.5 (for example, because you are using Java 1.6) you will need to change your classpath to reference a different version.


5 Answers

I had the same problem the other day. After some debugging of Spring Boot 1.3 I found the following solution.

1. You have to setup the headers on your Apache proxy:

<VirtualHost *:443>     ServerName www.myapp.org     ProxyPass / http://127.0.0.1:8080/     RequestHeader set X-Forwarded-Proto https     RequestHeader set X-Forwarded-Port 443     ProxyPreserveHost On     ... (SSL directives omitted for readability) </VirtualHost> 

2. You have to tell your Spring Boot app to use these headers. So put the following line in your application.properties (or any other place where Spring Boots understands properties):

server.use-forward-headers=true 

If you do these two things correctly, every redirect your application sends will not go to http://127.0.0.1:8080/[path] but automatically to https://www.myapp.com/[path]

Update 1. The documentation about this topic is here. You should read it at least to be aware of the property server.tomcat.internal-proxies which defines the range of IP-addresses for proxy servers that can be trusted.

Update 2021 The documentation is moved to here. The Spring Boot configuration is a litte different now.

like image 52
Igor Mukhin Avatar answered Sep 24 '22 23:09

Igor Mukhin


Your proxy looks fine, and so does the backend app, up to a point, but it doesn't seem to be seeing the RemoteIpValve modified request. The default behaviour of the RemoteIpValve includes a pattern match for the proxy IP address (as a security check) and it only modifies requests that it thinks are from a valid proxy. The pattern defaults in Spring Boot to a well-known set of internal IP addresses like 10.*.*.* and 192.168.*.*, so if your proxy isn't on one of those you need to explicitly configure it, e.g.

server.tomcat.internal-proxies=172\\.17\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} 

(using properties file format, which means you have to double escape the backslashes).

You can see the what is happening in the RemoteIpValve if you set

logging.level.org.apache.catalina.valves.RemoteIpValve=DEBUG 

or set a breakpoint in it.

like image 31
Dave Syer Avatar answered Sep 21 '22 23:09

Dave Syer


A typical solution to this problem is to let the proxy handle any required rewrite. For example, in Apache you can use the rewrite_module and/or headers_module to correct headers. As another example, Nginx handles this and other similar cases automatically for you after configuring upstream servers.

In response to comments:

What are the remote_ip_header and protocol_header spring boot configuration values?

Let's forget Spring Boot for a moment. Tomcat, the embedded servlet container, features a valve known as the RemoteIpValve. This valve is a port of the Apache remotip_module. The primary purpose of this valve is to treat the "useragent which initiated the request as the originating useragent" for "the purposes of authorization and logging". In order for this valve to be used it needs to be configured.

Please find more information about this valve here.

Spring Boot conveniently supports configuring this valve via application.properties through the server.tomcat.remote_ip_header and server.tomcat.protocol_header properties.

like image 31
Newbie Avatar answered Sep 21 '22 23:09

Newbie


I had exactly the same case using haproxy as load balancer with the below configuration, which worled for me. The only thing is the client IP is in request.getRemoteAddr() and not in "X-Forwarded-For" header

frontend www
  bind *:80
  bind *:443 ssl crt crt_path
  redirect scheme https if !{ ssl_fc }
  mode http
  default_backend servers

backend servers
  mode http
  balance roundrobin
  option forwardfor
  server S1 host1:port1 check
  server S2 host2:port2 check
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

In application.properties:

 server.use-forward-headers=true
like image 29
Panagiotis Theocharis Avatar answered Sep 24 '22 23:09

Panagiotis Theocharis


There are several properties that you can configure, related to this. application.yaml example:

server:
  forward-headers-strategy: native
  tomcat:
    use-relative-redirects: true
    protocol-header: x-forwarded-proto
    remote-ip-header: x-forwarded-for

Setting server.forward-headers-strategy: native is the replacement of the deprecated server.use-forward-headers:true

like image 43
Mark Lagendijk Avatar answered Sep 21 '22 23:09

Mark Lagendijk