felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Boston (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-4330) [HTTP SSL Filter] Make SSL header(s) configurable
Date Fri, 02 May 2014 08:08:14 GMT

    [ https://issues.apache.org/jira/browse/FELIX-4330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13987483#comment-13987483
] 

Ian Boston commented on FELIX-4330:
-----------------------------------

lgtm, except, imho it would be better to support the major SSL terminations by default so
that for 80% of those deploying it works out the box and they don't have to debug, read the
docs or find this jira issue.

I think that list should include
mod_ssl
AWS ELB
nginX

The real problem with AWS ELB is that there is that its not possible to configure what the
headers are. They are hard coded and the only interface is a web page/web service. Most others
(including mod_ssl and nginX)  there is a "set request header" directive of some form. TBH,
its possible to work round this by putting a HAProxy behind the ELB SSL termination.

> [HTTP SSL Filter] Make SSL header(s) configurable
> -------------------------------------------------
>
>                 Key: FELIX-4330
>                 URL: https://issues.apache.org/jira/browse/FELIX-4330
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.2.1
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>         Attachments: FELIX-4330-fme.patch, FELIX-4330.patch
>
>
> The request header indicating a proxy terminating an HTTPS connection is currently hard
coded to be "X-Forwarded-SSL" with the only value supported to be "on" -- based on the assumption
of this being the most commonly used header value.
> It looks that Amazon's Elastice Load Balancer uses a different header and value: X-Forwarded-Proto
whose value is the actual protocol by which the client talks to the load balancer. The filter
should kick in if the protocol is https (or maybe if it is just not the same as the one which
the servlet container reports).
> [1] http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-proto



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message