[jira] [Created] (FELIX-3693) Filter for servers running behind a SSL-endpoint proxy

Sun, 30 Sep 2012 01:17:17 -0700 

Felix Meschberger created FELIX-3693:
----------------------------------------

             Summary: Filter for servers running behind a SSL-endpoint proxy
                 Key: FELIX-3693
                 URL: https://issues.apache.org/jira/browse/FELIX-3693
             Project: Felix
          Issue Type: New Feature
          Components: HTTP Service
    Affects Versions: http-2.2.0
            Reporter: Felix Meschberger
            Assignee: Felix Meschberger


Problem: A an OSGi based application (e.g. an Apache Sling instance) operates 
behind an HTTP Proxy. Clients contact the proxy with HTTPS (SSL) while the 
proxy contacts the application over plain HTTP. The information that the client 
is using HTTPS/SSL is lost along the way.

>From the POV of the application all requests are not secured since the 
>ServletRequest.isSecure() method always returns false.

This creates some trouble particularly when sending absolute links (including 
the scheme) or redirects back to the client. Another issue is cookies which 
should be set to "secure" if the client is using HTTPS.

The general concept is as follows:

(1) The proxy is configured to set a request header when being the SSL endpoint 
(talking SSL to clients and talking plain HTTP to application) for the 
application to act as if handling a secure request:
(1a) X-Forwarded-SSL: on (see Making HTTPS Redirects Work With a Reverse Proxy 
at http://www.turbogears.org/1.0/docs/Install/RedirectHttpsRequests.html)
(1b) Optionally set other headers to provide the cipher_suite, key_size, and 
ssl_session_id. If the proxy is not able to derive these values from, the 
information just cannot be provided, which is not problematic

(2) A servlet filter is implemented to act upon the headers provided by the 
proxy, creating a request wrapper as follows:
(2a) overwrite ServletRequest.getScheme, ServletRequest.isSecure, 
HttpServletRequest.getRequestURL to indicate HTTPS
(2b) Set the request attributes defined by the Servlet API spec if the 
respective information is available from the dispatcher. Otherwise the 
attributes remain undefined

This issue is about implementing the second part as a servlet filter to support 
a proxy configured as described in the first part.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to