jelastic grails redirects http to https

Question

I have one domain app.mydomain.com which is mapped with A record to public IP (from tomcat server that belongs to mysub.jelastic.dogado.eu) I've configured SSL custom certificates and all HTTPS requests works very well.

All i need is that my app to use just HTTPS, all HTTP requests to be redirected to HTTPS, Acordingly with spring security plugin (1.2.7.4 that i have on my app) i configured in this way:

grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
    grails.plugins.springsecurity.portMapper.httpPort = 8080
    grails.plugins.springsecurity.portMapper.httpsPort = 8443
    grails.plugins.springsecurity.secureChannel.secureHeaderName = 'X-Forwarded-Proto'
    grails.plugins.springsecurity.secureChannel.secureHeaderValue = 'http'
    grails.plugins.springsecurity.secureChannel.insecureHeaderName = 'X-Forwarded-Proto'
    grails.plugins.springsecurity.secureChannel.insecureHeaderValue = 'https'
    grails.plugins.springsecurity.auth.forceHttps = true
    grails.plugins.springsecurity.secureChannel.definition = [
            '/**':               'REQUIRES_SECURE_CHANNEL'
    ]

On localhost it is working very good, all http requests were redirected to https but in jelastic nothig happend. I tried many configuration, replacing https port to 8743/443, but the same results. Any help will be apreciated.

Thanks a lot, Catalin

Answer 1

The X-Forwarded-Proto header is only set if you have a load balancer in your environment (or using the shared resolver, but since you're using a custom SSL certificate that cannot apply in this case).

If you don't have a load balancer in your environment, that is why the check does not work - since those headers are simply not set.

If you do have a load balancer, all requests to your Tomcat are directed to port 80 (redirected via port forwarding to 8080); that includes requests sent to https (because the load balancer performs 'SSL offload' in this case. Therefore you are seeking an impossible combination in your grails rules (8743 and X-Forwarded-Proto). Depending on your environment topology you will have one of these cases or the other, but not both.

EDIT: You should also double-check your server.xml to make sure you have this:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

Note the redirectPort value; it should be 443 because this is the port that will be sent to the browser for a redirect - with a load balancer (or Jelastic Shared Resolver) proxying the requests, the browser needs to request on port 443 (even though the Tomcat SSL connector is configured on 8743 - if applicable), because the proxy uses standard port numbering (i.e. https:// without any port number = 443).

Even if you are working with a standalone Tomcat (no load balancer, and not via the Jelastic Shared Resolver), those requests to 443 will be automatically forwarded to 8743 for you.

Answer 2

Thanks Damien, your answer solved the issue. For anyone interested this is the configuration(Config.groovy):

 production {
    grails.app.context = "/"        
    grails.serverURL = "https://yourdomain.com"
    grails.plugins.springsecurity.portMapper.httpPort = 80
    grails.plugins.springsecurity.portMapper.httpsPort = 443
    grails.plugins.springsecurity.auth.forceHttps = true
    grails.plugins.springsecurity.secureChannel.definition = [
            '/**': 'REQUIRES_SECURE_CHANNEL'
    ]
  }

Put this in server.xml:

<Connector port="80" protocol="HTTP/1.1"
       connectionTimeout="20000"
       redirectPort="443" />

I suppose 8080 also works.

Make war, deploy.