Configuring embedded Jetty 9 for X-FORWARDED-PROTO with Spring Boot

I am running a Spring Boot application in AWS. The application is running behind an Elastic Load Balancer (ELB). The ELB is configured to use https (port 443) to the outside world, but passes through http (port 8080) to the application. The ELB is configured to pass through the x-forwarded-proto header. I am using Jetty 9.0.0.M0, with Spring Boot 1.1.5 RELEASE.

I appear to be getting incorrect redirects sent back from the application via the ELB where the redirect responses are coming back as http, rather than https. Now, I read here that I should set the "forwarded" header to true using:

<Set name="forwarded">true</Set>

I can't see how to do this with the embedded version of Jetty in Spring Boot because there is no XML configuration file as part of my source.

I have looked at the EmbeddedServletContainerCustomizer infrastructure but I still can't get the right incantation to get this setup to work.

The application is built and tested outside of the AWS https environment, so the application needs to transparently work with http too. Directly hitting the application endpoints without going through the ELB works. It's just that the ELB to application route that's not working.

Any ideas?

Had a similar issue myself and while researching stumbled across your question. I found this was quite easy to to programatically however isn't really explained in the Jetty docs.

The structure of the Jetty xml configuration files are matched by the structure of the java API so you can just replicate it in code.

So following the Jetty guide on how to configure using the XML configuration file here

I was able to configure the embedded server programatically like this:

    Server server = new Server( port );

    // Create HTTP Config
    HttpConfiguration httpConfig = new HttpConfiguration();

    // Add support for X-Forwarded headers
    httpConfig.addCustomizer( new org.eclipse.jetty.server.ForwardedRequestCustomizer() );

    // Create the http connector
    HttpConnectionFactory connectionFactory = new HttpConnectionFactory( httpConfig );
    ServerConnector connector = new ServerConnector(server, connectionFactory);

    // Make sure you set the port on the connector, the port in the Server constructor is overridden by the new connector
    connector.setPort( port );

    // Add the connector to the server
    server.setConnectors( new ServerConnector[] { connector } );

59. Embedded servlet containers, Spring Boot will automatically configure Tomcat's RemoteIpValve if it detects some you to transparently use the standard x-forwarded-for and x-forwarded- proto Jetty 9 works with Spring Boot, but the default is to use Jetty 8 (so we can � The Spring Boot starters (spring-boot-starter-web in particular) use Tomcat as an embedded container by default. You need to exclude those dependencies and include the Jetty one instead. Spring Boot provides Tomcat and Jetty dependencies bundled together as separate starters to help make this process as easy as possible. Example in Maven:

I found a couple problems with the default Spring Boot Jetty configuration, not the least of which are enabled SSL algorithms which SSLLabs Check doesn't like.

Anyway: The fix I found for this was something like:

   @Bean
   public JettyEmbeddedServletContainerFactory jettyEmbeddedServletContainerFactory() 
   {
      // Deploy the nuclear option, kill the default Spring Boot factory
      // and replace with mine that disables extra crud.
      JettyEmbeddedServletContainerFactory fac = new JettyEmbeddedServletContainerFactory();
      // This allows ELB to work.
      fac.setUseForwardHeaders( true );
      return fac;
   }

There are also a number of other ELB options that you need to setup if you want SSL end-to-end. I had to use the command line client with some tweaks and change the health checks to TCP:8443 b/c the EC2 instance certificates look invalid to the load balancer.

73. Embedded servlet containers, Spring Boot doesn't support the configuration of both an HTTP connector and an HTTPS If the proxy adds conventional X-Forwarded-For and X-Forwarded- Proto Spring Boot provides Tomcat and Jetty dependencies bundled together as� Jetty 8 works with Spring Boot, but the default is to use Jetty 9. If you cannot use Jetty 9 (for example, because you are using Java 1.6) you will need to change your classpath to reference Jetty 8. You will also need to exclude Jetty’s WebSocket-related dependencies.

Wrong redirection when behind a reverse proxy server � Issue #423 , Spring Boot Version 2.1.0 (and earlier down to 1.x) Hello, the Server states: If the proxy adds conventional X-Forwarded-For and X-Forwarded-Proto headers ( most proxy stefanocke opened this issue on Oct 31, 2018 � 9 comments It seems that setting 'server.use-forwared-headers=true' is not a solution in all cases. 0 Configuring embedded Jetty 9 for X-FORWARDED-PROTO with Spring Boot Mar 3 '16 0 How to use a custom ssh key location with Spring Cloud Config Aug 23 '16 Badges (9)

Try setting the following property in your spring boot application:

server.use-forward-headers=true

The will ensure the correct protocol is read from the header. Refer to documentation here:

https://docs.spring.io/spring-boot/docs/1.5.9.RELEASE/reference/html/howto-embedded-servlet-containers.html

spring-projects/spring-boot, X-Forwarded-Proto - This helps identify the protocol of the original request. Apart from configuring the proxy or load balancer the application needs to be configured as When running the application in an embedded mode (as a Spring Boot� This section addresses questions about security when working with Spring Boot, including questions that arise from using Spring Security with Spring Boot. For more about Spring Security, see the Spring Security project page. 89.1 Switch off the Spring Boot Security Configuration. If you define a @Configuration with a

I have been unable to find a simple Jetty 9 solution to this question. Other than recommending that I upgrade to a later version of Jetty (which is good advice) I have received no other suggestions (at this time, as you can see)

My solution for the sake of expedience is to abandon Jetty, and instead to use embedded tomcat, where this functionality is a simple matter of configuration in the application.properties file. Simply add the following line to application.properties:

server.tomcat.remote_ip_header=x-forwarded-for

This appears to do the trick using the default embedded tomcat that comes as part of Spring Boot.

Running Behind a Proxy :: Legacy Flowable Documentation, Each Spring Boot web application includes an embedded web server. including how to change the embedded server and how to configure the embedded server. unlike Tomcat 9 and Undertow 2.0, Jetty 9.4 does not support Servlet 4.0. If the proxy adds conventional X-Forwarded-For and X- Forwarded-Proto headers� The Spring Boot CLI uses Maven by default but this guide will use Gradle instead. See this comparison for a discussion about the differences between Maven and Gradle. Create a new project with the Spring Boot CLI. This creates a new directory called hello-world with a project scaffold. spring init --build=gradle --dependencies=web --name=hello

Spring Boot Docs, Configure to only support the RFC7239 Forwarded header and to not support the forwardedProtoHeader to set (default X-Forwarded-Proto )� I did just notice that the "custom" config looked for X-Forwarded-Scheme and not X-Forwarded-Proto I have not tried that change yet. You were right here, it looks like the Jetty config is using two different headers instead of the rfc7239 defined X-Forwarded-Proto try setting both headers in your proxy configuration for now e.g:

ForwardedRequestCustomizer (Jetty :: Project 9.3.20.v20170531 API), This video is applicable to Remedy AR System 9. jetty Version 2. By default, Spring boot uses embedded tomcat server to run the application. proxy service (server): Jetty can be configured to consume the 'x-forwarded-proto' HTTP header � Time to time, I see the following messages in the logs: 2017-06-06 03:08:13.799 WARN 8332 --- [qtp825249556-126] org.eclipse.jetty.http.HttpParser : Header is too large >1024 2017-06-06 03:08:13.809 WARN 8332 --- [qtp825249556-126] org.e

Jetty javadoc, Learn To enable this functionality on embedded Jetty 9, uncomment from in Aug 24, 2016 � X-Forwarded-Proto seemed to do the trick Already disabled buffering. How to Setup Apache as Reverse Proxy for Tomcat Server using mod proxy Maven war file deploy to Tomcat Spring-Boot / Spring Security with AngularJS� Use Jetty 8. Jetty 8 works with Spring Boot, but the default is to use Jetty 9. If you cannot use Jetty 9 (for example, because you are using Java 1.6) you will need to change your classpath to reference Jetty 8 and Servlet API 3.0. You will also need to exclude Jetty’s WebSocket-related dependencies.

Comments
  • Jetty 9.0.0.M0 is not a stable release of Jetty 9. (in fact, its a pre-release / milestone 0). Upgrade
  • How do you customize your ServerConnector and their associated HttpConfigurations using Spring Boot? (show code)