[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
| Re: [jetty-users] Solr admin UI redirecting root path requests to http instead of https | 
  
  
    Hi,
    
    Am 24.05.2022 um 19:09 schrieb Shawn
      Heisey:
    
    On
      5/24/22 10:31, Shawn Heisey wrote: 
      Where would I do
        HttpConfiguration.setRelativeRedirectAllowed(true)? That looks
        like Java code, and Jetty is not embedded.  This is the
        jetty.xml in Solr 8.x: 
        
        https://gitbox.apache.org/repos/asf?p=lucene-solr.git;a=blob_plain;f=solr/server/etc/jetty.xml;h=e2f4ab095984aac27185a9879964862f9ba35d4d;hb=refs/heads/branch_8_11
        
      
      
      If we incorporated the ForwardedRequestCustomizer that Uwe
      mentioned in our jetty config, would that work for those using a
      proxy as well as those NOT using a proxy?  I see that this config
      is already in our jetty.xml, commented. 
      
      What I am hoping for is coming up with an xml config that allows
      this to work properly for all users whether they incorporate a
      proxy or not.  Most proxies send X-Forwarded-For, and configuring
      X-Forwarded-Proto is typically very easy.
    
    It has no side effects, but it may open some security issues:
      Normally, a reverse proxy would be the only one setting the
      request headers (also for example the remote user's IP, not only
      scheme and other metadata). The reverse proxy would also strip any
      X-Forwarded or Forwarded headers from the client and only add its
      own ones.
    
    If you do not have a reverse proxy, the client could send the
      headers and cause incorrect access log entries by faking IP
      addresses or causing invalid redirects. The first may be a
      security issue, especially if you have ip-based access control.
      The latter is not so serious.
    
    I
      uncommented the call to ForwardedRequestCustomizer and configured
      haproxy to send the X-Forwarded-Proto header.  This fixed the
      redirect, and it looks like a request sent directly to Solr still
      works properly too.  Can anyone imagine any unintended side
      effects from uncommenting ForwardedRequestCustomizer in our source
      repo's XML configs for jetty? 
    
    No side effects, it is only a security issue (see above). I wold
      make it a boolean option in Solr's config.
    
    Is
      there a more generic fix that would cause jetty to NOT send an
      absolute URL path in its redirect?  (what I was initially aiming
      for) 
    
    According to "original" HTTP standards, the URIs has to be
      absolute, but it still worked with most browsers also in the past.
      Since 2014 this is standardized and it should now work relative (<https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2>).
      
    
    So in general nowadays relative URIs should be ok, but still old
      non-browser software may fail.
    
     
    
      If you are going to use the ForwardedRequestCustomizer do
        yourself a favor and only use the RFC 7239 mode.
      
      
      Do not use the X-Forwarded-* headers, they are a giant mess
        of conflicting behaviors and rules with no standardization
        behind them.
      Big players interpret the headers differently (Google, vs
        AWS, vs Azure, vs haproxy, etc)
    
    That depends on your reverse proxy software. At moment most of them
    just implement the old-style X-Forwarded- stuff. But I agree with
    you.
    
The RequestCustomizer should handle all of them. I was just
      talking about them, because with Apache and NGINX you always get
      those automatically.
    
    Uwe
    
    -- 
Uwe Schindler
uschindler@xxxxxxxxxx 
ASF Member, Member of PMC and Committer of Apache Lucene and Apache Solr
Bremen, Germany
https://lucene.apache.org/
https://solr.apache.org/