[jira] [Commented] (FELIX-4330) [HTTP SSL Filter] Make SSL header(s) configurable

Sat, 03 May 2014 12:37:18 -0700 

    [ 
https://issues.apache.org/jira/browse/FELIX-4330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13988796#comment-13988796
 ] 

Felix Meschberger commented on FELIX-4330:
------------------------------------------

This really *is* a mess: I found mentions of four headers:

* {{X-Forwarded-SSL: on}} – the currently hard coded default value
* {{X-Forwarded-Proto: https}} – [Amazon ELBs hard coded 
header|http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-proto]
 and in an Nginx Wiki page on 
[SSL-Offload|http://wiki.nginx.org/SSL-Offloader]. Also listed on Wikipedia's 
[List of HTTP header 
fields|http://en.wikipedia.org/wiki/List_of_HTTP_header_fields] as a quasi 
standard.
* {{X-Forwarded-Protocol: https}} – Alternative to X-Forwarded-Proto
* {{Front-End-Https: on}} – Microsoft header, see [Helping to Secure 
Communication: Client to Front-End 
Server|http://technet.microsoft.com/en-us/library/aa997519%28v=exchg.65%29.aspx].
 Also listed on Wikipedia's [List of HTTP header 
fields|http://en.wikipedia.org/wiki/List_of_HTTP_header_fields]

I fear we have to provide support for all.

> [HTTP SSL Filter] Make SSL header(s) configurable
> -------------------------------------------------
>
>                 Key: FELIX-4330
>                 URL: https://issues.apache.org/jira/browse/FELIX-4330
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.2.1
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>         Attachments: FELIX-4330-fme.patch, FELIX-4330.patch
>
>
> The request header indicating a proxy terminating an HTTPS connection is 
> currently hard coded to be "X-Forwarded-SSL" with the only value supported to 
> be "on" -- based on the assumption of this being the most commonly used 
> header value.
> It looks that Amazon's Elastice Load Balancer uses a different header and 
> value: X-Forwarded-Proto whose value is the actual protocol by which the 
> client talks to the load balancer. The filter should kick in if the protocol 
> is https (or maybe if it is just not the same as the one which the servlet 
> container reports).
> [1] 
> http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-proto



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to