How to have Jetty redirect http to https

Question

I want to redirect all requests for http to https using Jetty (6.1.24). For some reason (my ignorance) this is eluding me. This is what I have:

<New id="redirect" class="org.mortbay.jetty.handler.rewrite.RedirectPatternRule">
  <Set name="pattern">http://foobar.com/*</Set>
  <Set name="location">https://foobar.com</Set>
</New>

In response I get 200 - ok, and the body is the page over http, ie the redirect doesn't occur.

I assume that the server responds correctly if you manually enter a HTTPS url. Can your provide any details from the jetty log output and/or details of what's happening in your browser - does your browser get a redirect at all? If so what URL did you enter and what URL did it redirect you to? — Tim, Mar 11 '12 at 12:39
Yes, server response correctly to https request. I've found out why I was getting a 502 before, I had commented out Jetty's listener on 8080... — Noel Kennedy, Mar 12 '12 at 16:20

score 7 · Answer 1 · answered Feb 12 '14 at 18:59

Speaking for Jetty 9... Here's how you can do it provided that your SSL connector already works:

Step 1: Make sure everything goes through SSL by adding this to your web.xml. If you try to access a resource through HTTP, this will return a 403 !SECURE error

<security-constraint>
  <web-resource-collection>
   <web-resource-name>Everything</web-resource-name>
   <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Step 2: Have Jetty redirect to HTTPS when it sees a 403 !SECURE error by adding this to your jetty.xml

<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
   <Arg>
      <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
         <!-- This says... Redirect to https://host:8443 if server returns "NOT SECURE" error -->
         <Set name="secureScheme">https</Set>
         <Set name="securePort">8443</Set>
      </New>
   </Arg>
   <Call name="addCustomizer">
      <Arg>
         <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
      </Arg>
   </Call>
</New>

<!-- This is your HTTP connector, you should have another one for HTTPS -->
<New class="org.eclipse.jetty.server.ServerConnector">
   <Arg name="server">
      <Ref refid="MyServer" />
   </Arg>
   <Arg name="factories">
      <Array type="org.eclipse.jetty.server.ConnectionFactory">
         <Item>
            <New class="org.eclipse.jetty.server.HttpConnectionFactory">
               <Arg name="config">
                  <!-- defined above -->
                  <Ref refid="tlsHttpConfig" />
               </Arg>
            </New>
         </Item>
      </Array>
   </Arg>
   <Set name="host">localhost</Set>
   <Set name="port">8080</Set>
</New>

score 4 · Answer 2 · answered Mar 12 '12 at 16:48

4

I think that the pattern is matching only the URI. You should use something like:

<New id="forwardedHttps" class="org.eclipse.jetty.rewrite.handler.ForwardedSchemeHeaderRule">
           <Set name="header">X-Forwarded-Scheme</Set>
           <Set name="headerValue">https</Set>
           <Set name="scheme">https</Set>
</New>

See: http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/rewrite/handler/RewriteHandler.html

answered Mar 12 '12 at 16:48

Mircea Vutcovici

16,706
4
52
80

as of Jetty9, link should be http://www.eclipse.org/jetty/documentation/current/rewrite-handler.html – foo Aug 22 '18 at 11:10

score 1 · Answer 3 · answered Jul 11 '12 at 04:58

1

I just added the doc: http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Redirecting_http_requests_to_https

answered Jul 11 '12 at 04:58

Kent Tong

21
1

2

Welcome to Server Fault! Generally we like answers on the site to be able to stand on their own - Links are great, but if that link ever breaks the answer should have enough information to still be helpful. Please consider editing your answer to include more detail. – voretaq7 Jul 11 '12 at 05:01

score 0 · Answer 4 · answered Mar 13 '12 at 06:17

As far as I can tell, this is not easy to do with any of the rules/handlers that are shipped with Jetty 6.

The RedirectPatternRule matches on the target which is the path in the Jetty server, and not the full URI, so your rule is never matching.

You could change it to:

<New id="redirect" class="org.mortbay.jetty.handler.rewrite.RedirectPatternRule">
  <Set name="pattern">/*</Set>
  <Set name="location">https://foobar.com</Set>
</New>

However, that has 2 issues:

It will redirect all requests (even https requests)
It doesn't take the requested URL into account (it always redirects to location as it is specified, and ignores anything that was matched by the pattern)

You can overcome the first issue with some trickery.
You can wrap the RewriteHandler in a ContextHandler, and a context handler allows you to specify which connectors it will handle requests from (setConnectorNames). So, you could use that to make the rewrite only apply to requests on the http connector(s).

I can't think of a way to overcome the second issue though.

I think your best bet will to write your own redirect rule for this. If you don't have development resources to do that for you, then contact me (you can find my email address via my blog, which is in my profile) and I can whip one up (under the same license as Jetty). It will be pretty straight forward to write a rule that simply redirects http to https.

How to have Jetty redirect http to https

4 Answers4

Linked