Home > Developer > Web Develop

Nginx ssl+tomcat cluster, request.getscheme () take HTTPS to the correct protocol

Source: Internet
Author: User
Tags ssl certificate nginx ssl
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Transferred from: http://feitianbenyue.iteye.com/blog/2056357

Recently in a project, the structure of the use of Nginx +tomcat cluster, and nginx configuration of Ssl,tomcat no SSL, the project uses the HTTPS protocol


However, obviously is the HTTPS URL request, found log inside,

XML code
  2. 0428 15:55:55 INFO (paymentinterceptor.java:44) prehandle ()-Requeststringforlog: {
  4. "Request.getrequesturl ():": "Http://trade.feilong.com/payment/paymentChannel?" id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6 ",
  6. "Request.getmethod:": "GET",
  8. "_parametermap": {
  10. "id": ["212"],
  12. "S": ["A84485e0985afe97fffd7fd7741c93851d83a4f6"]
  14. }
  16. }
The Request.getrequesturl () output is always / httpTrade.feilong.com/payment/paymentchannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6 but the URL in the browser is https://Trade.feilong.com/payment/paymentchannel?id=212&s=a84485e0985afe97fffd7fd7741c93851d83a4f6

An instant to subvert my view of Java, the API is clearly written:

Getrequesturl ():

Java code
    1. Reconstructs the URL the client used to make the request.
    3. The returned URL contains a protocol, server name, port number, and server path,
    4. But it does not include query string parameters.

That is, Getrequesturl () outputs a path with no query string (with information such as protocol, port, server path, and so on).



and also found that

XML code
    1. Request.getscheme ()//always HTTP, not actual HTTP or HTTPS
    2. Request.issecure ()//Always False (because always HTTP)
    3. REQUEST.GETREMOTEADDR ()//Always nginx request IP, not user's IP
    4. Request.getrequesturl ()//is always the URL of the Nginx request instead of the URL actually requested by the user
    5. Response.sendredirect (relative URL)//always redirects to HTTP (because it is considered to be an HTTP request)

Read some information and found a solution:

The solution is simple, just need to configure Nginx and Tomcat separately, instead of changing the program.

Configure the Nginx forwarding options:

XML code
    1. Proxy_set_header Host $host;
    2. Proxy_set_header X-real-ip $remote _addr;
    3. Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
    4. Proxy_set_header X-forwarded-proto $scheme;

Proxy_set_header X-forwarded-proto $scheme;

Configure a Valve under the Engine module of the Tomcat Server.xml:

XML code
    1. <Valve classname="Org.apache.catalina.valves.RemoteIpValve"
    2. remoteipheader="X-forwarded-for"
    3. protocolheader="X-forwarded-proto"
    4. protocolheaderhttpsvalue="https"/>

The X-forwarded-proto is configured to correctly identify whether the actual user is sending an HTTP or HTTPS protocol.

All 5 of these tests are turned into the correct results, just as the user accesses Tomcat directly.

About Remoteipvalve, interested students can read the next doc

Http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

XML code
    1. Tomcat Port of MOD_REMOTEIP, this valve replaces the apparent client remote IP address and hostname for the request with T He IP address List presented by a proxy or a load balancer via a request headers (e.g. "x-forwarded-for").
    3. Another feature of this valve are to replace the apparent scheme (HTTP/HTTPS) and server ports with the scheme presented by A proxy or a load balancer via a request header (e.g. "X-forwarded-proto").

Look at their source code, relatively simple, in various frameworks, various algorithms before, this class has a small impact on performance

    • If you do not configure the Protocolheader property, do nothing.
    • If Protocolheader is configured, but the value Request.getheader (Protocolheader) is null, nothing is done
    • If Protocolheader is configured, but the value (ignoring case) of Request.getheader (Protocolheader) is configured protocolheaderhttpsvalue (default HTTPS), Scheme is set to HTTPS with Port set to Httpsserverport
    • Other settings are HTTP

Java code
  2. if (protocolheader! = null) {
  4. String Protocolheadervalue = Request.getheader (Protocolheader);
  6. if (protocolheadervalue = = null) {
  8. //don ' t modify the Secure,scheme and ServerPort attributes
  10. //The request
  12. } Else if (protocolheaderhttpsvalue.equalsignorecase (Protocolheadervalue)) {
  14. Request.setsecure (true);
  16. //Use Request.coyoteRequest.scheme instead of Request.setscheme () because Request.setscheme () are no-op in Tomcat 6.0
  18. Request.getcoyoterequest (). Scheme (). setString ("https");
  22. Request.setserverport (Httpsserverport);
  24. } Else {
  26. Request.setsecure (false);
  28. //Use Request.coyoteRequest.scheme instead of Request.setscheme () because Request.setscheme () are no-op in Tomcat 6.0
  30. Request.getcoyoterequest (). Scheme (). setString ("http");
  34. Request.setserverport (Httpserverport);
  36. }
  38. }

Reference:

SSL certificate and HTTPS application deployment summary

http://han.guokai.blog.163.com/blog/static/136718271201211631456811/

Nginx ssl+tomcat cluster, request.getscheme () take HTTPS to the correct protocol

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
nginx cluster load balancing nginx https proxy server protocol https unknown ssl protocol error in connection to correct to decimal places https to https redirect aws ssl nginx

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More