Apache reverse proxy jumps back to insecure protocol after redirect

Question

I installed a reverse proxy apache server which handles the SSL encryption for a tomcat. We have a struts web application, and everytime we use response.sendRedirect(), the application falls back into the normal HTTP protocol instead of staying at HTTPS. The application has to run with both protocols, and I can't handle SSL over the tomcat container.

I can use HTTPS and navigate around through links and actions. But if I come to an action that uses redirect, it will be only HTTP. Why is that so?

SSLProxyEngine [off|on] # (Differs between the ssl and the other normal conf)
ProxyPreserveHost On
ProxyPass / http://mysite:1234/
ProxyPassReverse / http://mysite:1234/

This is my config. I thought about switching the http to https in the ssl config but that leads to this:

Bad Gateway

The proxy server received an invalid response from an upstream server. Additionally, a 502 Bad Gateway error was encountered while trying to use an ErrorDocument to handle the request.

How can I get the redirects to stick to HTTPS?

What's an example `Location` header sent to the client in a redirect? — Shane Madden, Oct 04 '12 at 15:52
Well the 302 response header specifies http: as its location... — Dennis Ich, Oct 04 '12 at 16:34

Alastair McCormack · Accepted Answer · 2012-10-04T16:44:27.957

If sendRedirect uses a relative path, Tomcat will add absolute elements including scheme (http/https) and servername.

Scheme will default to http unless you override it. The servername will come from the host header which you've carefully passed already.

I had the same problem and used a new Tomcat connector (along side the existing one) on a separate port which overrides the scheme and sets the port for good measure:

<Connector port="8443" protocol="HTTP/1.1" URIEncoding="UTF-8"
                    connectionTimeout="20000"
                    scheme="https" proxyPort="443"/>

Then in Apache, the SSL virtual host has:

ProxyPass / http://<tomcat_server>:8443/

The plain HTTP virtual host continues to use the existing Connector port (8080)

Alternatively, you could hard code the redirect location when calling sendRedirect() but this is obviously inflexible.

score 0 · Answer 2 · answered Mar 20 '18 at 14:06

0

I solved this issue just by adding the following ProxyPassReverse directive to Apache server configuration:

ProxyPassReverse / http://<apacheserver>:<httpsport>/

answered Mar 20 '18 at 14:06

DGardim

101
1

Apache reverse proxy jumps back to insecure protocol after redirect

2 Answers2

Linked