Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Setting up SSL/HTTPS - Hybris (TC) / Apache / Spring Security

Go to solution
Former Member

on ‎2014 Sep 24 1:31 PM

0 Likes
4,061

Is there a recommended approach or an example config for configuring SSL (with Apache as a proxy for Tomcat - port 80 and 443)?

We had a problem reaching HTTPS-pages , we'd get an infinite redirect loop when trying to reach the login/register page.

To 'solve' this, we have set all security-intercept rules in our storefront spring-security.xml to HTTP and let Apache take care of enforcing the SSL-encryption. As a consequence, some functionality in the storefront doesn't work anymore such as setting a GUID cookie etc., some methods check if the request is secure ( by calling request.isSecure() ). Since the require-channel is set to HTTP, hybris thinks the requests are insecure, but in reality they are secure. Removing these request.isSecure() checks does the trick, but this entire approach feels hacky and I'd like to do this the right way...

Thanks for your advice on this!

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Former Member
‎2014 Sep 24 5:31 PM
0 Likes

The presence of a reverse proxy (or multiple proxies) is normally made transparent to the application (and especially to spring-security, so that you can keep it as it was during development) provided:

  • 1) the proper headers are added to the request by the reverse proxy, to keep track of the protocol (http, https) and the remote IP

  • 2) the headers are translated back into the HttpServletRequest by tomcat: the isSecure() flag, getRemoteAddr(), getServerPort() will transparently take the expected values

Fortunately:

  • apache, and other webServers/reverseProxies/gateways takes care of 1) automatically.

- To take care of 2), all you need is to use the RemoteIPValve in tomcat server.xml configuration:

 <Engine ...>
        <!-- Process X-Forwarded-For to get remote address and X-Forwarded-Proto to identify SSL requests. --> 
        <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-proto" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by"  />
        ...

Note that in above example, you can even add a internalProxies="${internalProxies.ipAddresses}" attribute and set the "internalProxies.ipAddresses" property in the local.properties file to list IP addresses of additional reverse proxies or gateways that would be in front of apache. This is optional, if browsers are making direct http(s) requests to apache, you can omit this attribute.

See RemoteIPValve Documentation for the list of all attributes of the tomcat valve.

Show replies
Show replies
Former Member
‎2014 Sep 24 6:00 PM
0 Likes

Thanks for this valuable information!

Server.xml is regenerated every time 'ant clean all' is called (during deployment). How can I persist this config setting?

Former Member
‎2014 Sep 24 7:02 PM
0 Likes

The server.xml to modify is in the hybris config dir. Ant script use this file as input for the plaform tomcat bundle.

Former Member
‎2014 Sep 26 5:27 PM
0 Likes

Got it, thanks!

Ask a Question
Top Q&A Solution Author
View all