Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Setting up SSL/HTTPS - Hybris (TC) / Apache / Spring Security

Go to solution
Former Member

on ‎2014 Sep 24 1:31 PM

0 Likes
4,064

Is there a recommended approach or an example config for configuring SSL (with Apache as a proxy for Tomcat - port 80 and 443)?

We had a problem reaching HTTPS-pages , we'd get an infinite redirect loop when trying to reach the login/register page.

To 'solve' this, we have set all security-intercept rules in our storefront spring-security.xml to HTTP and let Apache take care of enforcing the SSL-encryption. As a consequence, some functionality in the storefront doesn't work anymore such as setting a GUID cookie etc., some methods check if the request is secure ( by calling request.isSecure() ). Since the require-channel is set to HTTP, hybris thinks the requests are insecure, but in reality they are secure. Removing these request.isSecure() checks does the trick, but this entire approach feels hacky and I'd like to do this the right way...

Thanks for your advice on this!

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Former Member
‎2014 Sep 24 5:18 PM
0 Likes

Your infinite loop is caused by tomcat unable to distinguish secure and unsecure request, so spring security redirect secure pages on inscure pages indefinitly. There is a lot of solution to this problem depending of your architecture, security constraint, etc.

The simple solution: use X-Forwarded-Proto header.

On your Apache part you should have 2 VirtualHost for HTTP and HTTPS (standard configuration on most distro).

HTTPS virtual host must set header X-Forwarded-Proto

 RequestHeader set X-Forwarded-Proto https

The 2 Apache VirtualHost could reverse proxy on the same port, 9001 for HTTP or better the AJP one 8009.

On your Tomcat server.xml you must have this valve so tomcat is able to mark request as secure:

 <Valve className="org.apache.catalina.valves.RemoteIpValve"
 remoteIpHeader="x-forwarded-for"
 remoteIpProxiesHeader="x-forwarded-by"
 protocolHeader="x-forwarded-proto"
 />

In hybris local.properties your website URL should also be configured to avoid some redirection problems:

 website.<site>.http=http://.../<storefront>
 website.<site>.https=https://.../<storefront>
Show replies
Show replies
Former Member
‎2014 Sep 24 6:02 PM
0 Likes

Thanks for the clarification!

Ask a Question
Top Q&A Solution Author
View all