Return-Path: X-Original-To: apmail-wicket-users-archive@minotaur.apache.org Delivered-To: apmail-wicket-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 75C02109F2 for ; Thu, 12 Dec 2013 08:01:07 +0000 (UTC) Received: (qmail 16020 invoked by uid 500); 12 Dec 2013 08:01:06 -0000 Delivered-To: apmail-wicket-users-archive@wicket.apache.org Received: (qmail 15706 invoked by uid 500); 12 Dec 2013 08:01:00 -0000 Mailing-List: contact users-help@wicket.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@wicket.apache.org Delivered-To: mailing list users@wicket.apache.org Received: (qmail 15696 invoked by uid 99); 12 Dec 2013 08:00:59 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Dec 2013 08:00:59 +0000 Received: from localhost (HELO mail-we0-f178.google.com) (127.0.0.1) (smtp-auth username mgrigorov, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Dec 2013 08:00:58 +0000 Received: by mail-we0-f178.google.com with SMTP id u57so41670wes.37 for ; Thu, 12 Dec 2013 00:00:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=9HviK2w5N/JCb11pY4rM0U2uBNpqAtlLcyEazA1ToNQ=; b=KJEiMZLdoIMg01AXpOuSZW9CUZMf5U/2YXuf6oBuZ4jA64hm13aRcIi6vWKEwzkeWZ Fut3E4IHujfjlNAnZWbtXPzSmLA/XnvJo7HVKijLB8FXTHfq3X3nLRGxbsdACftbbRiN iG2u/WXL+Il47EI6Xhu9kUtEzPEzjxDSTa7UFGq4nHvjrsh4CUZAINy/FL/v+zHjgqlP EXUu27r3hSMpYb4v+MlnQESYejTDUvJ3aUFVYUVPR4N+86QTqolHDH0t+zMohG5lD4oB KjtM6tqGur2r0fyUGDmxZs+lSJkNKlu9VMEWMI12JiYSmLs+7L4eMH02NiipmePQP3oU 5cXA== X-Received: by 10.180.205.162 with SMTP id lh2mr6305755wic.57.1386835257232; Thu, 12 Dec 2013 00:00:57 -0800 (PST) MIME-Version: 1.0 Received: by 10.217.153.199 with HTTP; Thu, 12 Dec 2013 00:00:17 -0800 (PST) In-Reply-To: References: From: Martin Grigorov Date: Thu, 12 Dec 2013 10:00:17 +0200 Message-ID: Subject: Re: SSL Offloading and Wicket To: "users@wicket.apache.org" Content-Type: multipart/alternative; boundary=001a11c37d28de965404ed51be05 --001a11c37d28de965404ed51be05 Content-Type: text/plain; charset=UTF-8 Hi, I think you should ask in Tomcat mailing lists. The related code in Wicket is: https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java?source=cc#L232 As you can see Wicket always passes relative url to the underlying container. The container makes it absolute, i.e. sets the scheme, host, port and full path, and then sets the "Location" response header. On Thu, Dec 12, 2013 at 6:05 AM, Matthew Welch wrote: > I'm sure I'm missing something simple as there are certainly many others > using similar setups, but I cannot figure out what I'm doing wrong. > > We force all requests from the public internet to use HTTPS when accessing > our app.We terminate SSL at the load balancer and the request that actually > hits Apache and then Tomcat is straight HTTP. The load balancer adds the > proper X-Forwarded-Proto headers to the requests heading back to the app > server and Wicket and we've confirmed that these are being received. We've > setup the XForwardedRequestWrapperFactory in our web application init. We > can even confirm that request.getScheme() is properly returning "https" > inside our application. > > Where things break down is when Wicket issues a redirect, which of course > it does all of the time as people navigate from page to page. For some > reason, the issued redirects are always HTTP, instead of HTTPS. These HTTP > redirects themselves eventually get redirected back to HTTPS by our load > balancer on their return trip from the client, but many of our customers > are ultra security conscious and have firewalls in place that won't even > allow those initial HTTP requests through, so we've got a problem. > > We've traced through the Tomcat code and the cause is > in org.apache.catalina.connector.Response. This is the original response > that was created when the container first began processing the request. It > carries a pointer to the "original" request as well and it uses this > request with its getScheme(), getServerPort(), and getServerName() to > generate the redirect that is eventually returned. It does not use the > "wrapped" request that contains the values determined from processing the > X-Forwarded headers. > > As I said, I'm sure this is working as intended and that we've just missed > something somewhere, but for the life of me, I can figure out what it is. > > Any ideas? We need Wicket/Tomcat to produce HTTPS redirects. > > Matt > --001a11c37d28de965404ed51be05--