Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

HTTPS HYBRIS: How to configure Hybris for SSL offloading

Former Member

on ‎2018 May 22 6:15 PM

0 Likes
1,572

Hi,

I'm trying to do the SSL offloading in my Load Balancer. I'm dealing with the configuration in order to allow Hybris to work correctly. I attached my configuration in order to show my scenarios.

Apache Frontal Node Default Virtual Host

 #RequestHeader set X-Forwarded-Proto "https"
 ProxyPass "/" "ajp://172.23.24.153:8009/"
 ProxyPassReverse "/" "ajp://172.23.24.153:8009/"

Apache Frontal Node SSL Virtual Host

 #RequestHeader set X-Forwarded-Proto "https"
 ProxyPass "/" "ajp://172.23.24.153:8009/"
 ProxyPassReverse "/" "ajp://172.23.24.153:8009/"

Tomcat Hybris using the AJP connector at port 8009

 <Valve className="org.apache.catalina.valves.RemoteIpValve"
 remoteIpHeader="x-forwarded-for"
 proxiesHeader="x-forwarded-by"
 protocolHeader="x-forwarded-proto"
 />

Hybris:

 OOTB - No modification spring-security-conf.xml

[CUSTOMER BROWSER]---HTTPS--->[LOADBALANCER HTTPS]----HTTP--->[APACHE]---AJP13--->[HYBRIS-TOMCAT] -> Ideal configuration for working in SSL offloading in Load Balancer.

Scenario 1)

With the previous configuration I'm able to connect to my hybris node, but all the times is using the HTTPS connection as is defined in the spring-security-conf. xml OOTB, so the SSL offloading done it the Load Balancer is not useful as the Apache -> Tomcat done a SSL connection again. Hybris still working all the time in HTTPS mode and evething works well. However, this is not the target to accomplish.

Scenario 2)

In this scenario I uncommented the 'RequestHeader set X-Forwarded-Proto "https"' from the Apache virtual host and when I'm trying to connect to Hybris the connection is in HTTP. I'm able to enter in my website without the internal redirection. The issue appears at the moment to register a user (for example), as this error shows: 

 http://IP/site/en/EUR/j_spring_security_check -> Server Error -> WARN  [ajp-bio-8009-exec-60]   [10.34.19.129] [PageNotFound] Request method 'POST' not supported

Looks, that this action form tries to establish an HTTPS connection or something and the server crashes. What is the configuration directive for "web/webroot/WEB-INF/config/spring-security-config.xml" to tell the hybris application that the connection is secure and that there is no need to rewrite the connection? Is something missing in order to fix this issue?

Regards, Pau

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

andyfletcher
Active Contributor
‎2018 May 31 10:54 AM
0 Likes

You probably need the set the value of internalProxies to match the upstream device. I'm guessing that it has a class B private address which isn't included in the default setting for this attribute, so the valve doesn't allow you to override the protocol via the protocolHeader because it sees it as originating from an untrusted addresses.

See https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

10.\d{1,3}.\d{1,3}.\d{1,3}|192.168.\d{1,3}.\d{1,3}|169.254.\d{1,3}.\d{1,3}|127.\d{1,3}.\d{1,3}.\d{1,3} By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to describe with regular expressions

You could just set this to .* to match everything to confirm that your https connections start working but I would recommend setting it to something that matches your actual network infrastructure.

e.g.

 <Valve className="org.apache.catalina.valves.RemoteIpValve"
    protocolHeader="x-forwarded-proto"
    internalProxies=".*" />

(I've left out the remoteIpHeader and proxiesHeader attributes since you've set those to the default values anyway)

Show replies
Show replies
Former Member
‎2018 Jun 05 1:11 PM
0 Likes

Hi Andrew,

I have this kind of configuration in order to allow LB to connect with the Apache -> Hybris. All the communication looks that is done by HTTP but the issue appears in the moment of enter in a secure page for example the login page. When you submit a form with the action to j_spring_check_security (OOTB) the server crash with the following error:

http://IP/site/en/EUR/j_spring_security_check -> Server Error -> WARN [ajp-bio-8009-exec-60] [10.34.19.129] [PageNotFound] Request method 'POST' not supported

andyfletcher
Active Contributor
‎2018 Jun 05 3:51 PM
0 Likes

I've seen similar symptoms before when accessing a page that requires CSRF protection. The CSRFHandlerInterceptor notices that you haven't submitted a valid csrf token that matches your session and forwards you to the login page. The login page is what's complaining that it doesn't support POSTs.

However I'm not sure why the j_spring_security_check url would fall foul of a Spring MVC interceptor since it should be getting handled by the Spring Security filter way before that.

Anyway, that might give you some idea of where to start looking.

Ask a Question