nginx 代理https后,应用redirect https变成http

原创
2013/10/11 18:03
阅读数 1.8W

情况说明

nginx 代理https后,应用redirect https变成http

情况类似

http://2hei.net/mt/2010/02/request-getscheme-cannt-get-https.html

http://yywudi.info/nginx-https-400-bad-request-solution/

原因分析:

浏览器到nginx是https,nginx到应用服务器变成http,

应用服务器,再做302 redirect的时候,返回的redirect 地址就好变成http的地址;

原因是spring mvc的servlet的secheme取值,request.getScheme()

是取请求里的一个scheme值,所有这个值在nginx代理时要设置成https

其中: request.getScheme() return http but not https.

解决方法:

目前是

proxy_redirect http:// $scheme://;

具体说明,还没仔细调查,有时间在细致研究下

参考:

http://serverfault.com/questions/372886/prevent-nginx-from-redirecting-traffic-from-https-to-http-when-used-as-a-reverse

 

 

 

另外nginx配置https,nginx到jetty走http,

而想再jetty request.getScheme取到https(8和9有区别,8我就直接改了点代码)

不改可参考:https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05430.html

jetty9里start.ini添加配置,具体再看jetty-http-forwarded.xml


--module=http-forwarded

 

nginx 配置参考

server {
listen 443 ssl;
server_name welife.gh.com;
charset utf-8;
ssl_session_timeout 5m;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/nginx/ssl/ssl_20160512/gh.com/gh.com.pem;
ssl_certificate_key /usr/local/nginx/ssl/ssl_20160512/gh.com/gh.com.key;

 
location / {
limit_except GET POST HEAD OPTIONS {
deny all;
}
proxy_pass http://welife-cluster;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error invalid_header http_503 http_500 http_502 http_504;
proxy_set_header Whatis-Scheme $scheme;

}
}

jetty8.1.18源码修改点

//void org.eclipse.jetty.server.Response.sendError(int code, String message) throws IOException
//非法字符导致请求错误修改

//String uri= request.getRequestURI();
 //shenwr  end 2015-11-20
 String uri=null;
 try{
     uri= request.getRequestURI();
 }catch(NotUtf8Exception e){
     uri=request.getRequestURIISO8859();
 }
 
//shenwr  end 2015-11-20
//String org.eclipse.jetty.server.Request.getRequestURIISO8859()  //add非法字符导致请求错误

public String getRequestURIISO8859()
{
 
    if (_requestURI == null && _uri != null)
        _requestURI = _uri.getPathAndParamISO8859();
    return _requestURI;
 
}

//String org.eclipse.jetty.http.HttpURI.getPathAndParamISO8859() //add 非法字符导致请求错误
public String getPathAndParamISO8859()
 
 {
     if (_path==_query)
         return null;
     return StringUtil.toString(_raw,_path,_param-_path,StringUtil.__ISO_8859_1);
 }

//void org.eclipse.jetty.server.nio.SelectChannelConnector.customize(EndPoint endpoint, Request request) throws IOException


public void customize(EndPoint endpoint, Request request) throws IOException
 
   {
 
       //add by xxxx
       if (request.getHeader("Whatis-Scheme") != null && request.getHeader("Whatis-Scheme").equals("https")) {
           request.setScheme("https");
       } else {
           request.setScheme("http");
       }
 
       //add by xxxx
       request.setTimeStamp(System.currentTimeMillis());
       endpoint.setMaxIdleTime(_maxIdleTime);
       super.customize(endpoint, request);
 
   }
 

 

展开阅读全文
打赏
2
9 收藏
分享
加载中
更多评论
打赏
0 评论
9 收藏
2
分享
返回顶部
顶部