How to disable force HTTPS in tomcat based on header value

Asked May 24 '19 at 01:37

Active May 24 '19 at 01:37

Viewed 525 times

I've got a Spring boot application hosted on internal tomcat. We've enabled the below properties to force a redirect to HTTPS as a response.

server.use-forward-headers=true
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto

Now, I've a requirement to open this application for internal use as well and in this case, I should not force HTTPS in response.

I understand that I can use property

server.tomcat.internal-proxies=192\\.168\\.\\d{1,3}\\.\\d{1,3}

But I do not want to do this based on IP, rather want to use a specific value in the header.

Example: if header "X-Forwarded-Host" contains a value like "test.com.sg" --> then do NOT force HTTPS.

May I know how can I achieve this?

asked May 24 '19 at 01:37

rupesh

Is disabling https based on headers , a good idea from security point of view ? Normally we use the ip based approach as it enables us to control and identify the traffic and securely open our network.But using headers will undermine that . – Ananthapadmanabhan May 24 '19 at 04:31

0 Answers0