Hi, To answer my own question, the root cause is that I did not specify the customizer in the binding to take advantage of the X-forwarded-proto header. After adding the customizer, I see all the URLs generated are now https. Here is where I got my answer https://issues.apache.org/jira/browse/ARTEMIS-3011?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel%3D17238390#comment-17238390
However, now i am facing another issue which is upon authenticated, this POST request is always return 403: https://dev1.mycompany.com/stack/nle/artemis-master/console/jolokia/?maxDepth=7&maxCollectionSize=50000&ignoreErrors=true&canonicalNaming=false and here is request header: POST /stack/nle/artemis-master/console/jolokia/?maxDepth=7&maxCollectionSize=50000&ignoreErrors=true&canonicalNaming=false HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive Content-Length: 71 Content-Type: text/json Host: dev1.company.com Origin: https://dev1.company.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 X-Requested-With: XMLHttpRequest sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Here is response header -------------------------- HTTP/1.1 403 Forbidden access-control-allow-origin: * cache-control: max-age=0, no-cache, must-revalidate, proxy-revalidate, private content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; frame-src 'self';default-src 'self' https://*.company.com <http://nakisa.com> https:// *.company.io/ <http://nakisa.io/> https://fonts.gstatic.com https://use.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com https://developers.google.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self' data: https://*.company.com <http://nakisa.com> https://*.company.io/ <http://nakisa.io/> https://maps.gstatic.com https://*.googleapis.com https://*.tile.osm.org; font-src 'self' https://fonts.gstatic.com https://use.fontawesome.com; date: Fri, 10 Jun 2022 19:14:46 GMT hawtio-forbidden-reason: NONE permissions-policy: camera=(),microphone=(),geolocation=(),encrypted-media=(),payment=(),usb=() pragma: no-cache referrer-policy: no-referrer server: company strict-transport-security: max-age=31536000; includeSubDomains x-content-type-options: nosniff x-dns-prefetch-control: off x-download-options: noopen x-envoy-upstream-service-time: 1 x-frame-options: SAMEORIGIN x-xss-protection: 1 Content-Length: 0 Connection: keep-alive -------------------- and since that post retrieves the data (accessors, addresses,...) i end up having a blank page when i got the 403. One thing i notice is that the content-security-policy seem to have duplicated directives like default-src, script-src. I am not sure that cause the 403 but chrome said it ignores the duplicates: Ignoring duplicate Content-Security-Policy directive 'default-src'. I am not sure what would be the next step to debug this, hope to get some hint. Thai Le On Fri, 10 Jun 2022 at 11:53, Justin Bertram <jbert...@apache.org> wrote: > > ...the webconsole then generates some urls with *http* scheme and send > back the response telling the browser to open these urls... > > Can you provide an example of a URL that gets passed back as http? > > > Justin > > On Fri, Jun 10, 2022 at 9:12 AM Thai Le <lnthai2...@gmail.com> wrote: > > > Hello, > > > > I have an artemis 2.19.1 broker running in a kubernetes pod. The binding > in > > the bootstrap.xml is set to bind="*http*://0.0.0.0:8161" path="web". I > > also > > have a virtual service that routes http requests matching a pattern to > this > > pod so that I can access the webconsole from the internet. However, all > > requests from internet to our services must be in *https.* So, from the > > internet if i uses *https*://mycompanydomain.com/artemis/console then > the > > request hits our gateway and forward to the artemis pod as *http* > request, > > the webconsole then generates some urls with *http* scheme and send back > > the response telling the browser to open these urls however such *http* > > request will fail because our domain does not accept *http*. The obvious > > approach is to config https binding for webconsole but due to security > > policy, I can not have access to the keystore. So I wonder if there is a > > way to force all urls generated by the webconsole to be in *https* > instead > > of *http* without config https binding. > > > > Regards > > > > Thai Le > > > -- Where there is will, there is a way