secure redirect behind load balancer

**mfortin** · May 17th, 2007, 12:29 PM

Hello,

We have some apps that are run behind a load balancer and the balancer also handles ssl encryption. All requests internally are handled on a single none secure port (8080). The request header has a flag to mark if the request is secure.

When a request comes in that starts on https and I return a redirect (eg. viewName="redirect:somepage.do"), it sends a redirect with an insecure url. Is there a way to configure spring to be aware of the request header and return a secure url? Id rather not have to add code to all my controllers to return the correct ModelAndView.

Thanks in advance,
Michael

**jonnio** · May 17th, 2007, 01:15 PM

For some application servers (weblogic, etc), the redirect to HTTPS is controlled via web.xml. For weblogic, if you add the appropriate http header, weblogic will accept non http connection as https as it is assuming the SSL was front-end offloaded. This shouldn't be a spring issue, AFIK.

**ssquare** · May 18th, 2007, 10:04 AM

We were using Cisco's Content Switch Balancing and ran into the same issue. There is nothing Spring Can do about it, as the Switch was turning an SSL request to non ssl request before forwarding it our webpage.

The only way around this issue is that Configure the Switch correctly. We had set a flag in the switch to turn the flag on where it says that even if it is a redirect, change http to https. ( a very simple flag setting, nothing fancy)

**sams_6** · Mar 10th, 2008, 09:36 AM

I had the very same issue - the load balancer was offloading SSL encryption/decryption and passing the request along on port 80. Spring's redirect notion ('redirect:') for relative URLs responds on the same protocol as the incoming request so all my redirects went out on port 80.

Fortunately our load balancer injects a header indicating that the request came in on SSL. I extended UrlBasedViewResolver to intercept relative 'redirect:' s (I left explicit fully-qualified redirects alone) and then extended RedirectView to check the request header for the load-balancer-injected flag and build an https: response if necessary.

Hope this helps. Drop me a line if you need more info.

**Ruuzo** · Aug 18th, 2008, 08:14 PM

Originally Posted by sams_6

I had the very same issue - the load balancer was offloading SSL encryption/decryption and passing the request along on port 80. Spring's redirect notion ('redirect:') for relative URLs responds on the same protocol as the incoming request so all my redirects went out on port 80.

Fortunately our load balancer injects a header indicating that the request came in on SSL. I extended UrlBasedViewResolver to intercept relative 'redirect:' s (I left explicit fully-qualified redirects alone) and then extended RedirectView to check the request header for the load-balancer-injected flag and build an https: response if necessary.

Hope this helps. Drop me a line if you need more info.

i'm in the same boat, but i also need to configure spring web flow to do the same thing, and i can't figure out how to do it...do you have any ideas?

thanks

Richard F.

Thread: secure redirect behind load balancer

Thread Tools

Display

secure redirect behind load balancer

I ended up customizing UrlBasedViewResolver and RedirectView

Posting Permissions