0

I have my Spring-boot app behind Apache proxy. My app is working on http and SSL related tasks are handled by proxy server.

I'm using Spring-security's login page. Below is my security configurations:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors();

        http.authorizeRequests()
                .antMatchers("/admin/**").hasAuthority("Admin")
                .anyRequest().permitAll()
                .and()
                .formLogin()
                .defaultSuccessUrl("/admin", true);

    }

So as a person with Admin authority login successfully I redirect to /admin. This was working fine until I used apache proxy.

Before using proxy it was working fine.

( http://myhost/login >> after successful login redirects To >> http://myhost/admin )

After using proxy:

( https://myhost/login >> after successful login redirects To >> http://myhost/admin )

The main issue is that it redirecting to http instead of https.

Below is my apache proxy config:

ProxyPreserveHost on
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

My question is how can I redirect to https after login.

Any help would be appreciated !!!

dur
  • 15,689
  • 25
  • 79
  • 125
Vikas
  • 46
  • 5

1 Answers1

0

My experience with Apache Proxy setup is limited, however based on my understanding, you will need to enable SSLEngine in order to support SSL Protocol:

The documentation:

SSLEngine Directive

Description:    SSL Engine Operation Switch
Syntax: SSLEngine on|off|optional
Default:    SSLEngine off
Context:    server config, virtual host
Status: Extension
Module: mod_ssl

This directive toggles the usage of the SSL/TLS Protocol Engine. This is should be used inside a section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

Example

<VirtualHost _default_:443>
SSLEngine on
#...
</VirtualHost>

In Apache 2.1 and later, SSLEngine can be set to optional. This enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817.

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#page-header

JCompetence
  • 6,997
  • 3
  • 19
  • 26