Shawn, I think you may have a solution now, but I'll just answer any outstanding questions just in case.
To turn on relative redirects, you need to set the property `jetty.httpConfig.relativeRedirectAllowed=true`, which can be done on the command line or better yet in the server.ini file. The example you sent without a proxy is exactly correct behaviour as the Host header sent is used for the non relative redirection. As you have discovered, either the Host header must be the original from the client OR the ForwardedRequestCustomizer must be used to pass over the same information. So I think it is worthwhile to correctly configure your proxy anyway, as that reduces the possibility of anything else leaking your internal IP addresses..... and then configure relative redirects anyway so you have defence in depth. cheers On Wed, 25 May 2022 at 02:31, Shawn Heisey <ecli...@elyograg.org> wrote: > On 5/24/22 02:03, Greg Wilkins wrote: > > To say more, we'd need to see the headers of the request arriving at > > the proxy and then arriving at jetty.... but my money is on their > > proxy being configured to rewrite the host header. > > I was able to duplicate the issue, and I did not have haproxy configured > to do any kind of rewriting. > > This is what I get with a verbose curl: > > https://paste.elyograg.org/view/e95b70a0 > > This is what haproxy logged for that request, showing a 302 response: > > May 24 10:01:41 - haproxy[299524] 192.168.217.199:59602 > [24/May/2022:10:01:41.656] solr~ be-solr/g8981 0/0/0/1/1 302 105 - - > --NI 1/1/0/0/0 0/0 "GET https://solr.elyograg.org:8983/ HTTP/2.0" > > Where would I do HttpConfiguration.setRelativeRedirectAllowed(true)? > That looks like Java code, and Jetty is not embedded. This is the > jetty.xml in Solr 8.x: > > > https://gitbox.apache.org/repos/asf?p=lucene-solr.git;a=blob_plain;f=solr/server/etc/jetty.xml;h=e2f4ab095984aac27185a9879964862f9ba35d4d;hb=refs/heads/branch_8_11 > > I'm still digesting Uwe's reply. To answer his question: The proxy is > https, Solr is http. > > The relevant parts of my haproxy config can be found at the link below. > The commented lines in the frontend are how I worked around the issue in > haproxy -- handling root path redirect in haproxy rather than letting it > through to Solr: > > https://paste.elyograg.org/view/b3b413c3 > > Thanks, > Shawn > > _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins <gr...@webtide.com> CTO http://webtide.com
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
