Hi, I am testing deploying camunda behind proxy(spring cloud netflix Zuul in my case) and the redirects on login in camunda webapps seems to be ignoring x-forwarded http header, which it should use to send the redirect correctly.
I there any settings with which I should correct it, or do I have to rewrite the Camunda authentication filter.
Hi @tomorrow,
which header? X-Forwarded-For I assume. What do you expect to happen when authentication filter receives request with that header?
Cheers,
Askar
Hi yes, I meant exactly this header. I would expect the redirects would work.
Zuul should be filling this header, I have configured spring boot with server.use-forward-headers: true, but when I attepmt to access e.g. tasklist through proxy on http://proxy:port/app/tasklist/index.html i get redirected to http://application:applicationport/app/tasklist/default/ instead of http://proxy:port/app/tasklist/default/
Just to be more precise, from the trace of the request and response, there are headers:
Request:
x-forwarded-host localhost:10810
x-forwarded-port 10810
x-forwarded-proto http
Response
Location http://omnichannelpoc1:10810/app/tasklist/default/
status 302
Hi, so I’ve been doing a little bit digging. The problem is, the x-forwarded-* header seem to be handled in every application differently. Some use absolute path in redirect, where absolute path built using the x-forwarded-* headers, some alter the tomcat server name to the value form x-forwarded-host themselves, also tomcat embedded container will have “fix” that will provide ability to set host header, which will be set to server name.
for now, I am going with manually customizing the embedded servlet container with following code
// copied from spring-cloud/spring-cloud-netflix#1108
@Bean
public EmbeddedServletContainerCustomizer customizer() {
return (final ConfigurableEmbeddedServletContainer container) -> {
((TomcatEmbeddedServletContainerFactory) container).addContextValves(new ValveBase() {
@Override
public void invoke(final Request request, final Response response) throws IOException, ServletException {
final MessageBytes serverNameMB = request.getCoyoteRequest().serverName();
String originalServerName = null;
final String forwardedHost = request.getHeader("X-Forwarded-Host").split(":")[0];
if (forwardedHost != null) {
originalServerName = serverNameMB.getString();
serverNameMB.setString(forwardedHost);
}
try {
getNext().invoke(request, response);
} finally {
if (forwardedHost != null) {
serverNameMB.setString(originalServerName);
}
}
}
});
};
}
for some proxies, the spliting the x-forwarded-host might not be needed, Zuul sends in this header a port too, so I need to strip it.
Maybe, it would be better to use absolute path in camunda webapps ProcessEnginesFilter, where the server name and port would be creating from http headers. As x-fowarded-host sometimes might be coming with or without port, the absolute url should be created with some robust logic, where common x-forwared-* usages would be considered.
1 Like