I have installed Pentaho (9.x) on Tomcat 8.5 and OpenJDK 1.8 as required.
In front of it there is Apache 2.4 with mod_proxy_http.
My website is served with HTTPS and I have these Proxy rules:
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost on
ProxyPass "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPassReverse "/pentaho" "http://tomcat_host_ip:8080/pentaho"
ProxyPass "/pentaho/" "http://tomcat_host_ip:8080/pentaho/"
ProxyPassReverse "/pentaho/" "http://tomcat_host_ip:8080/pentaho/"
ProxyPass "/pentaho/Login" "http://tomcat_host_ip:8080/pentaho/Login"
ProxyPassReverse "/pentaho/Login" "http://tomcat_host_ip:8080/pentaho/Login"
When I try to log in a get an error during the POST:
https://pentaho.mywebsite.org/pentaho/j_spring_security_check
The application try to responde with HTTP protocol instead HTTPS.
In the request header I have the correct Referer and Origin:
Origin: https://pentaho.mywebsite.org
Referer: https://pentaho.mywebsite.org/pentaho/Login
But the response header reply with HTTP and NOT https:
Location http://pentaho.mywebsite.org/pentaho/
2
Answers
I solved the problem just adding proxyPort="443" and scheme="https" to my http connector in Tomcat.
The rule
on Apache was unusefull. This is my correct Apache configuration
And this is my Tomcat HTTP connector
Servlet applications use the
scheme
,serverName
andserverPort
properties of aServletRequest
to generate hyperlinks. Usually Tomcat gets the latter two from theHost
request header, whilescheme
depends on the connector.If you use a reverse proxy, the above logic may not be enough. You have two solution:
Setting
scheme
staticallyIn your case the proxy uses HTTPS, while Tomcat uses HTTP, so you must override the
scheme
andsecure
properties:while the Apache HTTP Server configuration can be shortened to:
Remark that in your answer you didn’t set the
secure
attribute: this attribute decides whether the transport is confidential. If you don’t set it to true, Tomcat will automatically redirect the browser toredirectPort
whenever the application asks for a confidential transport (cf. Securing Web Applications).This solution only works correctly, if your proxy forwards only HTTPS requests to Tomcat.
Setting
scheme
dynamicallyIf you forward both HTTP and HTTPS requests to Tomcat, the server needs a way to distinguish between them. Therefore you need to add a
RemoteIpValve
to your Tomcat configuration:and ask Apache HTTP Server to add an
X-Forwarded-Proto
header:This solution has also the advantage to set the client’s
remoteHost
andremoteAddr
instead of those of the proxy.