1

I have a Spring Boot application that is pushed on Bluemix as a CF app. It works efficiently with the http protocol. However if i tried to force https, I get a 502 error.

I have:

@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
        http.requiresChannel().anyRequest().requiresSecure();
        //http.csrf().disable();
  }

}

And I have an application.properties file with those entries:

server.ssl.key-store = classpath:**.jks
server.ssl.key-store-password = *******
server.ssl.key-password = ******

server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto

I am aware that Bluemix performs SSL termination; in fact it sets correctly x-forwarded-proto and x-forwarded-for. I looked for solutions like 1 and 2 but without any luck.

I then tried with the following solution, as suggested in this article but a received a redirect loop insted:

@Bean
public TomcatEmbeddedServletContainerFactory tomcatEmbeddedServletContainerFactory(){
    return new TomcatEmbeddedServletContainerFactory() {
        @Override
        protected void postProcessContext(Context context) {
            SecurityConstraint securityConstraint = new SecurityConstraint();
            securityConstraint.setUserConstraint("CONFIDENTIAL");
            SecurityCollection collection = new SecurityCollection();
            collection.addPattern("/*");
            securityConstraint.addCollection(collection);
            context.addConstraint(securityConstraint);
        }
    };
}

What did I miss in my approach? Many thanks for any tips/suggestions you may provide me

Community
  • 1
  • 1
Luca
  • 45
  • 6
  • 2
    I'm guessing Tomcat is not detecting the x-forwarded headers as being a trusted proxy. Try setting server.tomcat.internal-proxies=.* and logging.level.org.apache.catalina.valves=DEBUG – Rob Winch Aug 17 '16 at 22:09
  • Thank you! It really helps in finding the solution! For the sake of completeness, since Bluemix already perform the SSL validation I removed the server.ssl.* part ad added the following: `server.tomcat.internal-proxies=.* server.use-forward-headers=true` Now it works like a charm and it also performs HTTP to HTTPS redirection. Thanks again for your help – Luca Aug 18 '16 at 11:28

1 Answers1

1

For the sake of the community, it would be good to see Rob's comment accepted as the answer. Rob, feel free to add your own answer if you would rather see that accepted instead.

Tomcat is not detecting the x-forwarded headers as being a trusted proxy. Try setting server.tomcat.internal-proxies=.* and logging.level.org.apache.catalina.valves=DEBUG

Dan Higham
  • 3,974
  • 16
  • 15