We have a load-balancer sitting in front of two wildfly servers. The load-balancer handles the SSL handshake and forces all traffic over https (http requests are redirected to https requests), the wildfly nodes do not have certificates on them and traffic between load balancer and servers is unencrypted, the wildfly nodes know nothing about the SSL.
When a user hits a protected page the wildfly presents them with a login page. User enters credentials and submits the login form. The wildfly logs user in and then sends a redirect to the user to send them to the desired page. The redirect sent by the wildfly is an HTTP redirect. This gets grabbed by the load-balancer and redirected to HTTPS but I really want to avoid that second redirect. How can I tell the wildfly to return HTTPS redirect after login instead of HTTP?
I followed link but not sure how to deal same between wildlfy undertow load-balancer and wildfly server.
I followed this link also but didn't get any luck.
Below is the detailed solution explanation for the above problem:
We have a load-balancer sitting in front of two wildfly servers. The load-balancer handles the SSL handshake and forces all traffic over https , the wildfly nodes do not have certificates on them and traffic between load balancer and servers is unencrypted, the wildfly nodes know nothing about the SSL.The communication between load balancer and wildfly nodes is via http protocol.
When a user hits a protected page e.g. https://someip/app
Request flow is as below:
Client browser to load balancer via https
Load balancer to wildlfy nodes via http protocol .
It worked after adding proxy-address-forwarding="true" in wildlfy server node's http
listener .
Related
I have set up Keycloak (docker container) on the GCP Compute Engine (VM). After setting the sslRequired=none, I'm able to access Keycloak over a public IP (e.g. http://33.44.55.66:8080) and manage the realm.
I have configured the GCP CLassic (HTTPS) Load Balancer and added two front-ends as described below. The Load Balancer forwards the request to the Keycloak instance on the VM.
HTTP: http://55.44.33.22/keycloak
HTTPS: https://my-domain.com/keycloak
In the browser, the HTTP URL works fine and I'm able to login to Keycloak and manage the realm. However, for the HTTPS URL, I get the below error
Mixed Content: The page at 'https://my-domain.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://my-domain.com/auth/js/keycloak.js?version=gyc8p'. This request has been blocked; the content must be served over HTTPS.
Note: I tried this suggestion, but it didn't work
Can anyone help with this, please?
I would never expose Keycloak on plain http protocol. Keyclok admin console itself is secured via OIDC protocol and OIDC requires to use https protocol. So default sslRequired=EXTERNAL is safe and smart configuration option from the vendor.
SSL offloading must be configured properly:
Keycloak container with PROXY_ADDRESS_FORWARDING=true
loadbalancer/reverse proxy (nginx, GCP Classic Load Balancer, AWS ALB, ...) with proper request header X-Forwarded-* configuration, so Keycloak container will know correct protocol, domain which is used for the users
So I have spinnaker running behind an https load balancer and my external ports use the standard 443 which get port mapped to the spinnaker instance still on port 9000. I've gotten pretty much everything to work except a redirect from gate is still appending the :9000 port to my URL.
requests sent to https://my.url.com/gate/auth/redirect?to=https://my.url.com/#/infrastructure send back a redirect response with the location header in the 301 location:https://my.url.com:9000/gate/login which fails because the load balancer is only listening for 443. If I manually delete the port and go right to https://my.url.com/gate/login the oauth flow works as expected and once authed all deck functionality and subsequent gate queries work as expected.
In my /etc/default/spinnaker file I have
SPINNAKER_DECK_BASEURL=https://my.url.com
SPINNAKER_GATE_BASEURL=https://my.url.com/gate
in /opt/spinnaker/config/gate-googleOAuth.yml I have
spring:
oauth2:
client:
preEstablishedRedirectUri: ${SPINNAKER_GATE_BASEURL}/login
useCurrentUri: false
and I've ran /opt/spinnaker/bin/reconfigure_spinnaker.sh plus restarts to make sure deck and gate get updated. Does anyone have any ideas what I might be missing?
I figured out my problem. With the help of this issue pointing me in the right direction (https://github.com/spinnaker/spinnaker/issues/1112) and some digging I found that the issue was with apache2 and the reverse proxy back to gate.
ProxyPassReverse
This directive lets Apache httpd adjust the URL in the Location, Content-Location
and URI headers on HTTP redirect responses. This is essential when Apache httpd
is used as a reverse proxy (or gateway) to avoid bypassing the reverse proxy because
of HTTP redirects on the backend servers which stay behind the reverse proxy.
from apache2 documentation https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse
I'm trying to implement a local web server that handle all the http requests.
Basically, when a user connect to the network and open an url, he is redirected to my local web server.
I'm using dns mask for this purpose and it works pretty well for HTTP traffic.
The problem is with the HTTPS traffic (especially the case when a user perform a search in the chrome navigation bar).
I tried running the server on https with some iptables rules without success.
Is there a way to redirect the https traffic to my local web server ?
Thanks
Currently all traffic is coming to backend servers, which is running on port 80. However we want to redirect some pages to https. This means that whenever the customer hits on login page, logout page present in the website. It should be redirected to https.
When a customer hits on the login button it redirect to https but using haproxy it doesn't work.
https://XXXXXXXX.com/customer/account/login/
We have already installed ssl in both the servers.
However, redirection is not working from http to https.
Please suggest what I should try.
It would be best to use HAproxy to terminate the SSL and talk to the backend servers via HTTP rather than having both HAproxy and the webserver doing SSL.
There is a good SSL setup tutorial here https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04
I have a requirement wherein the application must be on both http and https. While the end user must be able to traverse the application in http, all forms should transition to https post submission.
Any advice as to how this can be achieved given that the application is deployed on Tomcat cluster and has a Apache HTTP Server as a load balancer distributing the load in a cluster.