トップ 差分 一覧 ソース 検索 ヘルプ RSS ログイン

JettyとロードバランサーでSSL終端

[Java]

Jetty

  • やりたいこと
    • ユーザのブラウザからELBまではhttpsで通信、ELBからアプリケーションサーバまではhttpで通信させる

→ これをSSLの終端(SSL termination)と言う。Railsだとすごく簡単だった気がするのですが、Spring Securityのせいで面倒になってる。

  Tomcatでの終端例

     HTTP (80) -----> ELB -----> Tomcat (8080)
   HTTPS (443) -----> ELB -----> Tomcat (8080)
  • server.xml
    • secure="true" を設定するだけ
<Connector
    port="8080"
    protocol="HTTP/1.1"
    proxyPort="443"
    scheme="https"
    secure="true"
    proxyName="myapp.example.com"
    connectionTimeout="20000"
    URIEncoding="UTF-8"
    redirectPort="8443" />

  Jettyでの終端例(古い)

   ah, looks like Jetty has a Connector.setForwarded(true) 
   you can call http://wiki.eclipse.org/Jetty/Tutorial/Apache#Configuring_mod_proxy_http
   
   so perhaps it's simply a matter of enabling a "forwarded" flag that will enable that in jetty

To connect to servlet container with HTTP protocol, the ProxyPass directive can be used to send requests received on a particular URL to a Jetty instance. The following example will proxy all requests received by apache on /test/* to the /context running on the local jetty instance on port 8080:

ProxyPass /test http://localhost:8080/context

Alternately, the location directive can be used to group multiple directives for the same URL:

<Location /test/>
  ProxyPass /test http://localhost:8080/context
  SetEnv proxy-nokeepalive 1
</Location>

The mod_proxy_http will set some additional headers on the requests that it proxies:

  • X-Forwarded-For - The IP address of the client
  • X-Forwarded-Host - The original host requested by the client in the Host HTTP request header
  • X-Forwarded-Server - The hostname of the proxy server

While not supported directly by mod_proxy_http, Jetty also understands the following experimental request header:

  • X-Forwarded-Proto - The URL protocol scheme of the original request

One option for setting this, if the protocol schema is static, is to use mod_headers RequestHeader directive.

If the values of these headers are meaningful to your web application, then Jetty can be configured to interpret them and make their values available via the servlet API. The setForwarded(true) method should be called on the connector. This can be done in jetty.xml like:

<Call name="addConnector">
  <Arg>
    <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
       <Set name="host"><SystemProperty name="jetty.host" /></Set>
       <Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set>
       <Set name="forwarded">true</Set>
     </New>
   </Arg>
</Call>

  Jettyでの終端

  ELB/ELBの挙動

   次の例には、HTTPS リクエストとしてクライアントから発信されたリクエストの X-Forwarded-Proto リクエストヘッダーが含まれています。
   
   X-Forwarded-Proto: https

これをもってJettyはフォワードされた通信に対してhttpsでリクエストを返してくれるはず

  • テスト
    • フォワードされた通信をcurlで疑似的に作る
$ curl localhost:8080/your/app/path.do -v -H "Host: foo.com" -H "X-Forwarded-Proto: https"
  • [|]
お名前: コメント: