Require HTTPS with Spring Security behind a reverse proxy

https java reverse-proxy spring-security

2022-09-02 23:29:42

I have a Spring MVC application secured with Spring Security. The majority of the application uses simple HTTP to save resources, but a small part processes more confidential information and requires an HTTPS channel.

Extract from the :security-config.xml

<sec:http authentication-manager-ref="authenticationManager" ... >
    ...
    <sec:intercept-url pattern="/sec/**" requires-channel="https"/>
    <sec:intercept-url pattern="/**" requires-channel="http"/>
</sec:http>

All worked fine until we decided to migrate it to the main server, where the application servers run behind reverse proxies. And as now HTTPS is processed by the reverse proxies the application server only sees HTTP requests, and disallows access to the hierarchy./sec/**

After some research, I found that the proxies add a header ^(*), but in Spring Security HttpServletRequest.isSecure() is used to determine the channel security offered (extract from javadoc).X-Forwarded-Proto: httpsSecureChannelProcessor

How can I tell Spring Security that a header is enough for a secure request?X-Forwarded-Proto: https

I know I could report that part on proxies configuration, but the proxies administrator really does not like that solution, because there are many application behind the proxies and the configuration could grow to a non manageable state.

I an currently using Spring Security 3.2 with XML config, but I'm ready to accept answers based on Java config and/or more recent version.

^(*)Of course, the proxies remove the header if it was present in incoming request, so the application can be confident in it.

答案 1

Kind of a followup to NeilMcGuigan's answer that showed that the solution was servlet container side.

Tomcat is even better. There is a valve dedicated to masking the side effects of a reverse proxy. Extract from Tomcat documentation for Remote IP Valve:

Another feature of this valve is to replace the apparent scheme (http/https), server port and request.secure with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

Example of the valve configuration :

<Valve className="org.apache.catalina.valves.RemoteIpValve"
    internalProxies="192\.168\.0\.10|192\.168\.0\.11"
    remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by"
    protocolHeader="x-forwarded-proto" />

That way with no other configuration of the application itself, the call to will return true if the request contains a header field of .Request.isSecure()X-Forwarded-Proto=https

I had thought of two other possibilities, but definitively prefere that one :

use a filter active before Spring Security to wrap the request with a overriding to process a header - need writing and testing the filter and the wrapperChannelProcessingFilterHttpServletRequestWrapperisSecure()X-Forwarded-Proto
use a Spring to look for a and manually inject a able to consider the header - really too low levelBeanPostProcessorChannelProcessingFilterChannelDecisionManagerX-Forwarded-Proto

答案 2

Spring Boot makes it dead simple (at least with embedded Tomcat).

1. Add the following lines to your application.properties:

server.forward-headers-strategy=native
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto

2. Do the following trick with your HttpSecurity configuration.

// final HttpSecurity http = ...
// Probably it will be in your `WebSecurityConfigurerAdapter.configure()`

http.requiresChannel()
            .anyRequest().requiresSecure()

Source is Spring Boot reference guide

84.3 Enable HTTPS When Running behind a Proxy Server

Please also check the answer below for a specifics related to Spring Boot 2.2