Pivotal CloudFoundry:强制实施HTTPS(SSL) [英] Pivotal CloudFoundry: Enforcing HTTPS (SSL)
问题描述
我想对要在Pivotal CloudFoundry托管的Spring Boot应用程序强制实施HTTPS,并且我认为大多数应用程序今天都希望这样做。据我所知,常用的方法是使用
I want to enforce HTTPS for a Spring Boot application to be hosted at Pivotal CloudFoundry, and I think most of the applications would want this today. The common way of doing it, as I know, is using
http.requiresChannel().anyRequest().requiresSecure()
但这会导致重定向循环。据我通过引用 this 这样的帖子所了解,原因是负载平衡器将https转换回http。这意味着它必须在负载均衡器级别完成。
But this is causing a redirect loop. The cause, as I understand by refering to posts like this, is that the load balancer converts back https to http. That means, it has to be done at the load balancer level.
因此,是否有一些选项可以告诉CloudFoundry为应用程序实施HTTPS?如果不是,这不是功能请求吗?而且,今天有什么好的方法呢?
So, is there some option to tell CloudFoundry to enforce HTTPS for an application? If not, shouldn't this be a feature request? And, what could be a good way to have this today?
更新:Cloud Foundry或Spring Security团队的所有人都看到了这一点吗?发布?我认为这是一项基本功能,然后才能在CloudFoundry上托管应用程序。谷歌搜索,我发现没有简单的解决方案,只能告诉用户使用https而不是http。但是,即使我这样说,当匿名用户尝试访问受限页面时,Spring Security会将其重定向回http登录页面。
Update: Did any of you from Cloud Foundry or Spring Security team see this post? I think this is an essential feature before one can host an application on CloudFoundry. Googling, I found no easy solution but to tell the users to use https instead of http. But, even if I tell so, when an anonymous user tries to access a restricted page, Spring Security is redirecting him back, to the http login page.
更新2 :当然,正如许多答案所建议的那样,我们有 x-forwarded-proto 标头,但我不知道自定义的难度Spring Security的功能来使用它。然后,我们将Spring Social与Spring Security集成在一起,而我在那儿也遇到了一个问题。我认为Spring Security和其他众多框架都需要提供使用 x-forwarded-proto 的解决方案,或者CloudFoundry需要某种透明地处理它的方法。我认为以后会很方便。
Update 2: Of course, we have the x-forwarded-proto header as many answers suggest, but I don't know how hard it would be to customize the features of Spring Security to use that. Then, we have other things like Spring Social integrating with Spring Security, and I just faced an issue there as well. I think either Spring Security and tons of other other frameworks will need to come out with solutions to use x-forwarded-proto, or CloudFoundry needs to have some way to handle it transparently. I think the later would be far convenient.
推荐答案
通常,当您将WAR文件推送到Cloud Foundry(Java构建包)时将采用它并将其部署到Tomcat。之所以如此行之有效,是因为Java构建包可以为您配置Tomcat并自动包含一个RemoteIpValve,它使用x-forwarded- *标头并重新配置您的请求对象。
Normally, when you push a WAR file to Cloud Foundry, the Java build pack will take that and deploy it to Tomcat. This works great because the Java build pack can configure Tomcat for you and automatically include a RemoteIpValve, which is what takes the x-forwarded-* headers and reconfigures your request object.
如果您使用Spring Boot并将其作为JAR文件推送,则将在应用程序中嵌入Tomcat。由于Tomcat嵌入在您的应用程序中,因此Java构建包无法针对环境对其进行配置(即,它无法配置RemoteIpValve)。这意味着您需要对其进行配置。可以在此处。
If you're using Spring Boot and pushing as a JAR file, you'll have an embed Tomcat in your application. Because Tomcat is embedded in your app, the Java build pack cannot configure it for the environment (i.e. it cannot configure the RemoteIpValve). This means you need to configure it. Instructions for doing that with Spring Boot can be found here.
如果要将Web应用程序部署为JAR文件但是使用其他框架或嵌入式容器,则需要查找框架/容器的文档,并查看其是否具有对x-forwarded- *标头的自动处理。如果没有,则需要手动处理,就像其他答案所建议的那样。
If you're deploying an web application as a JAR file but using a different framework or embedded container, you'll need to look up the docs for your framework / container and see if it has automatic handling of the x-forwarded-* headers. If not, you'll need to manually handle that, like the other answers suggest.
这篇关于Pivotal CloudFoundry:强制实施HTTPS(SSL)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
