Advanced Tweak on Undertow-handlers.conf for http https redirect

Question

I use WildFly behind an AWS load balancer. I want the Undertow server in WildFly to redirect http traffic to https, and I can do this mostly successfully with the following line placed in undertow-handlers.conf:

equals('http', %{i,X-Forwarded-Proto}) -> redirect(https://app.server.com%U)

Thanks to these folks for getting me this far! Now here's my desired tweak. Sometimes I run my web application behind a testing load balancer using 'dev.server.com' and sometimes I run it behind a production load balancer using 'app.server.com.' Currently, I have to remember to manually edit undertow-handlers.conf any time I switch balancers. I'm hoping there is a way to change the hard-coded 'dev' and 'app' to something mechanical. Is there a way to tell Undertow to just use the domain name that was originally requested?

Thanks.

score 3 · Answer 1 · answered Jul 24 '17 at 20:36

3

If you want to keep it as part of the deployment try using the %h in the redirect expressions. For example:

equals('http', %{i,X-Forwarded-Proto}) -> redirect(https://%h%U)

Another option would be to configure the server to handle the redirect for you. The CLI commands would look something like the following assuming the default ports of 8080 for http and 8443 for https.

/subsystem=undertow/configuration=filter/rewrite=http-to-https:add(redirect=true, target="https://%h:8443%U")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=http-to-https:add(predicate="equals(%p, 8080)")

You can see all the possible exchange attributes in the Undertow documentation.

answered Jul 24 '17 at 20:36

James R. Perkins

16,800
44
60

Thanks, @james. I tried swapping in Undertow's %h in place of 'dev.server.com', but it did not work: the redirect no longer functioned. I'm guessing %h is not an exact replica of the requested domain. – Josh Britton Jul 25 '17 at 11:51
Yeah I guess it may not be an exact replica. http://docs.oracle.com/javase/8/docs/api/java/net/InetSocketAddress.html#getHostString--. If you use the undertow subsystem setting though you could use an expression for the target attribute on the rewrite filter. `target="https://${jboss.host.name:%h}:8443%U"` – James R. Perkins Jul 25 '17 at 17:55

score 3 · Accepted Answer · answered Dec 21 '17 at 19:10

3

Thankfully the undertow configuration gives you access to the request headers via Exchange Attributes, which you're already using to access the X-Forwarded-Proto header. So the solution is to simply use the Host header from the request like so:

equals('http', %{i,X-Forwarded-Proto}) -> redirect(https://%{i,Host}%U)

answered Dec 21 '17 at 19:10

dpeterson

138
1
7

If the `host` header includes an explicit port number, problems may occur with this approach. – Robert Hume Oct 28 '18 at 18:39

Advanced Tweak on Undertow-handlers.conf for http https redirect

2 Answers2