[
https://issues.apache.org/jira/browse/SOLR-16200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541688#comment-17541688
]
Shawn Heisey edited comment on SOLR-16200 at 5/24/22 8:09 PM:
--------------------------------------------------------------
Talking to the jetty mailing list, I have a solution.
In server/etc/jetty.xml there is a commented config section calling
ForwardedRequestCustomizer. Uncomment that and restart Solr.
Then in your proxy, there are two ways forward. One is the legacy X-Forwarded
headers. Very likely your proxy is already sending X-Forwarded-For ... you can
add X-Forwarded-Proto and set it to https.
The jetty folks recommend not using the X-Forwarded-* headers, though. There
is an RFC defining an official standard for proxy headers:
[https://tools.ietf.org/html/rfc7239]
I configured haproxy to send the standardized header with this line:
{code:java}
http-request add-header Forwarded "for=\"%[src]\"; proto=https" {code}
I can confirm that these changes eliminate the issue. I am going to
investigate whether we can uncomment the ForwardedRequestCustomizer config
option in the git repo so the next 9.x release has it enabled by default. From
the little bit of testing I have done, I think this is safe to do. I invite
comment on that from anyone who has a lot of familiarity with Jetty.
was (Author: elyograg):
Talking to the jetty mailing list, I have a solution.
In server/etc/jetty.xml there is a commented config section calling
ForwardedRequestCustomizer. Uncomment that.
Then in your proxy, there are two ways forward. One is the legacy X-Forwarded
headers. Very likely your proxy is already sending X-Forwarded-For ... you can
add X-Forwarded-Proto and set it to https.
The jetty folks recommend not using the X-Forwarded-* headers, though. There
is an RFC defining an official standard for proxy headers:
[https://tools.ietf.org/html/rfc7239]
I configured haproxy to send the standardized header with this line:
{code:java}
http-request add-header Forwarded "for=\"%[src]\"; proto=https" {code}
I can confirm that these changes eliminate the issue. I am going to
investigate whether we can uncomment the ForwardedRequestCustomizer config
option in the git repo so the next 9.x release has it enabled by default. From
the little bit of testing I have done, I think this is safe to do. I invite
comment on that from anyone who has a lot of familiarity with Jetty.
> cant cancel scheme/protocol redirect when accessing the admin UI
> ----------------------------------------------------------------
>
> Key: SOLR-16200
> URL: https://issues.apache.org/jira/browse/SOLR-16200
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI
> Affects Versions: 8.11
> Reporter: sam
> Priority: Major
>
> I have solrcloud + zookeeper behind a reverse proxy which is doing https
> termination.
> Problem is when asking for solr's admin UI solr keeps redirecting me to http,
> I considered changing the urlscheme to https but then internal connections
> behind the proxy won't work.
> Is it possible to cancel the scheme/protocol redirect only? I still want to
> be redirected from / to /solr/
> I'm using solr's official docker images with a helm chart deploying to
> openshift.
> basiclly I want [http://my-solr/] to forward to [http://my-solr/solr/]
> and [https://my-solr/] to forward to [https://my-solr/solr/]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
