I am currently implementing https
on our production environment, but I am scratching my head over a little thing here.
SSL is terminated in the load balancer and the flow in our stack is basically like this:
Production: Browser <- https
-> Load balancer <- http
-> Apache <- http
-> Load balancer <- http
-> Tomcat
Testing: Browser <- https
-> nginx <- http
-> Load balancer <- http
-> Tomcat
When I access our login-page over HTTPS:
Request headers
POST /login/form HTTP/1.1
Host: www.example.org
Connection: keep-alive
Content-Length: 74
Cache-Control: max-age=0
Origin: https://www.example.org
Content-Type: application/x-www-form-urlencoded
Referer: https://www.example.org/login
Accept-Encoding: gzip,deflate,sdch
Accept-Language: nb,en-US;q=0.8,en;q=0.6
Response headers
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 17 Jan 2014 11:16:50 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: FOO=example
Location: http://www.example.org/portal
Strict-Transport-Security: max-age=31536000
I talked to a developer and he told me the following:
In the code there is sth like request.sendRedirect("/portal") and Tomcat does the rest.
I am able to reproduce the problem on the testing environment, although a bit different stack.
My questions:
- Why do I get
http
as the scheme in theLocation
-header when the original request from the browser was made withhttps
? - Is this an Apache mod_rewrite/mod_proxy or nginx problem?
- Is this a problem with Tomcat?