The mystery case of https becoming http through a sendRedirect call

[Vangelis Papathanasiou]

I have some redirect calls in the code  sendRedirect("/appropriate_url", request, response)

The "destination" is a relative path for a load balancer. So internally, the Apache will redirect various sub-path to different servers. All URLs exposed the same hostname to the client side. However, starting from an https request, the result from the call becomes http instead. Not cool!

I am using hippo-cms 7.8.6 version. I tried to use httpsfilter module and schemaagnostic feature to the hst:root mount unsuccesfully. I can visit from browser every https page or move from hst:link to https pages but when there is a redirect I have this issue. I tried to get logs from httpfilter unsuccessfully. Any Ideas?

Cheers,

Vangelis

[Woonsan Ko]

How do you create the redirect URL location in your component code?
Is it a relative URL or absolute URL (starting with http*://)?

> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.


--
w....@onehippo.com www.onehippo.com
Boston - 101 Main Street, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466

[Vangelis Papathanasiou]

It is relative. I use sendRedirect() of BaseHstComponent

> <mailto:hippo-community+unsub...@googlegroups.com>.

[Woonsan Ko]

If you're using a relative URL location to redirect, then you're
depending on how Tomcat prepend the base URL. So, in that case, there's
nothing more to do ourselves but configuring something well somehow in
both Apache HTTPd and Tomcat. See [1] for your information.

So, in my projects, I usually try to use an absolute URL location
instead because I can have a full control by using HST link generation
based on HST configurations.

Regards,

Woonsan

[1]
http://serverfault.com/questions/434864/apache-reverse-proxy-jumps-back-to-insecure-protocol-after-redirect

> <javascript:>
> > RSS:
> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50

> <https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50>
>
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send

> > an email to hippo-communi...@googlegroups.com <javascript:>
> > <mailto:hippo-communi...@googlegroups.com <javascript:>>.

> > Visit this group at http://groups.google.com/group/hippo-community

> <http://groups.google.com/group/hippo-community>.

> > For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.
>
>
> --
> w....@onehippo.com <javascript:> www.onehippo.com
> <http://www.onehippo.com>

> Boston - 101 Main Street, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
>

> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com

> <mailto:hippo-communi...@googlegroups.com>.

[Vangelis Papathanasiou]

Thank you Woonsan. Could you provide me an example of creating absolute urls and using them according to my situation?

Regards,

Vangelis

>     > <mailto:hippo-community+unsub...@googlegroups.com <javascript:>>.

>     > Visit this group at http://groups.google.com/group/hippo-community
>     <http://groups.google.com/group/hippo-community>.
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
>
>     --
>     w....@onehippo.com <javascript:>     www.onehippo.com
>     <http://www.onehippo.com>
>     Boston - 101 Main Street, Cambridge, MA 02142
>     Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>     US +1 877 414 4776 (toll free)
>     Europe +31(0)20 522 4466
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>  
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com

> <mailto:hippo-community+unsub...@googlegroups.com>.

[Woonsan Ko]

Oh, I can reuse the following: :)

HstLinkCreator linkCreator = requestContext.getHstLinkCreator();
HstLink link = linkCreator.create(...); // various options; see javadoc
String location = link.toUrlForm(requestContext, fullyQualified);
response.sendRedirect(location);

You can create a link from a context relative path, sitemap item
reference ID, hippo document bean, etc.
And, you can create an absolute link by invoking #toUrlForm() with the
second argument set to true.

Cheers,

Woonsan

> > > <mailto:hippo-communi...@googlegroups.com
> <javascript:> <javascript:>>.

> > > Visit this group at
> http://groups.google.com/group/hippo-community
> <http://groups.google.com/group/hippo-community>
> > <http://groups.google.com/group/hippo-community
> <http://groups.google.com/group/hippo-community>>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> >
> > --
> > w....@onehippo.com <javascript:> www.onehippo.com
> <http://www.onehippo.com>
> > <http://www.onehippo.com>
> > Boston - 101 Main Street, Cambridge, MA 02142
> > Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> > US +1 877 414 4776 (toll free)
> > Europe +31(0)20 522 4466
> >
> > --
> > Hippo Community Group: The place for all discussions and
> announcements
> > about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com

> <javascript:>
> > RSS:
> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> <https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50>
>
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to hippo-communi...@googlegroups.com <javascript:>

> > <mailto:hippo-communi...@googlegroups.com <javascript:>>.

> > Visit this group at http://groups.google.com/group/hippo-community
> <http://groups.google.com/group/hippo-community>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> w....@onehippo.com <javascript:> www.onehippo.com
> <http://www.onehippo.com>
> Boston - 101 Main Street, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com

> <mailto:hippo-communi...@googlegroups.com>.

[Vangelis Papathanasiou]

False alarm. The browser caching!!! :) Thank you Woonsan! :)

On Tuesday, June 24, 2014 8:42:06 PM UTC+3, Vangelis Papathanasiou wrote:

But stiil we need the configuration you said in order to get this work. Am I right?

I created this function based on your helpful comments.

 private String urlLocation(HstRequestContext requestContext, String siteMapItemName){

        HstLinkCreator linkCreator = requestContext.getHstLinkCreator();

        HstLink link = linkCreator.create(siteMapItemName,requestContext.getResolvedMount().getMount());

        String location = link.toUrlForm(requestContext, true);

        LOGGER.debug("The url of the redirection is: "+location);

        return location;

    }

I visit a url under https, and according to that url I should be redirected to an other url based on some rules. But still I got a http url and not a https url.

>     >     > <mailto:hippo-community+unsub...@googlegroups.com

>     > <mailto:hippo-community+unsub...@googlegroups.com <javascript:>>.

>     > Visit this group at http://groups.google.com/group/hippo-community
>     <http://groups.google.com/group/hippo-community>.
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
>
>     --
>     w....@onehippo.com <javascript:>     www.onehippo.com
>     <http://www.onehippo.com>
>     Boston - 101 Main Street, Cambridge, MA 02142
>     Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>     US +1 877 414 4776 (toll free)
>     Europe +31(0)20 522 4466
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>  
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com

> <mailto:hippo-community+unsub...@googlegroups.com>.

[Vangelis Papathanasiou]

I don't know on some pc works on other no! :)

[Ard Schrijvers]

Hey Vangelis,

did you also happen to see and read this chapter about https support:

http://www.onehippo.org/library/concepts/request-handling/hst-seamless-https-support.html

Regards Ard

>>>> > > > <mailto:hippo-communi...@googlegroups.com

>>>> > > <mailto:hippo-communi...@googlegroups.com

>>>> > <javascript:>>.
>>>> > > Visit this group at
>>>> > http://groups.google.com/group/hippo-community
>>>> > <http://groups.google.com/group/hippo-community>.
>>>> > > For more options, visit https://groups.google.com/d/optout
>>>> > <https://groups.google.com/d/optout>.
>>>> >
>>>> >
>>>> > --
>>>> > w....@onehippo.com <javascript:> www.onehippo.com
>>>> > <http://www.onehippo.com>
>>>> > Boston - 101 Main Street, Cambridge, MA 02142
>>>> > Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>>>> > US +1 877 414 4776 (toll free)
>>>> > Europe +31(0)20 522 4466
>>>> >
>>>> > --
>>>> > Hippo Community Group: The place for all discussions and announcements
>>>> > about Hippo CMS (and HST, repository etc. etc.)
>>>> >
>>>> > To post to this group, send email to hippo-c...@googlegroups.com
>>>> > RSS:
>>>> >
>>>> > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>>>> > ---
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups "Hippo Community" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send
>>>> > an email to hippo-communi...@googlegroups.com

>>>> > <mailto:hippo-communi...@googlegroups.com>.

>>>> > Visit this group at http://groups.google.com/group/hippo-community.
>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>> w....@onehippo.com www.onehippo.com
>>>> Boston - 101 Main Street, Cambridge, MA 02142
>>>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>>>> US +1 877 414 4776 (toll free)
>>>> Europe +31(0)20 522 4466
>

> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to hippo-communi...@googlegroups.com.

> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.



--

Amsterdam - Oosteinde 11, 1017 WT Amsterdam

Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466

www.onehippo.com

[Vangelis Papathanasiou]

Yes Ard,

I started from this chapter and tried to used these principles. I succeeded to do it localhost. The issue is on loadbalancers I think. I will discuss it with infra to apply the instructions that Woonsan suggested and we will see.

Cheers,

Vangelis

>>>> >     >     > <mailto:hippo-community+unsub...@googlegroups.com

>>>> >     > <mailto:hippo-community+unsub...@googlegroups.com

>>>> > <javascript:>>.
>>>> >     > Visit this group at
>>>> > http://groups.google.com/group/hippo-community
>>>> >     <http://groups.google.com/group/hippo-community>.
>>>> >     > For more options, visit https://groups.google.com/d/optout
>>>> >     <https://groups.google.com/d/optout>.
>>>> >
>>>> >
>>>> >     --
>>>> >     w....@onehippo.com <javascript:>     www.onehippo.com
>>>> >     <http://www.onehippo.com>
>>>> >     Boston - 101 Main Street, Cambridge, MA 02142
>>>> >     Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>>>> >     US +1 877 414 4776 (toll free)
>>>> >     Europe +31(0)20 522 4466
>>>> >
>>>> > --
>>>> > Hippo Community Group: The place for all discussions and announcements
>>>> > about Hippo CMS (and HST, repository etc. etc.)
>>>> >
>>>> > To post to this group, send email to hippo-c...@googlegroups.com
>>>> > RSS:
>>>> >
>>>> > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>>>> > ---
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups "Hippo Community" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send
>>>> > an email to hippo-communi...@googlegroups.com

>>>> > <mailto:hippo-community+unsub...@googlegroups.com>.

[Ard Schrijvers]

On Wed, Jun 25, 2014 at 10:07 AM, Vangelis Papathanasiou
<vangelis.pa...@gmail.com> wrote:
> Yes Ard,
>
> I started from this chapter and tried to used these principles. I succeeded
> to do it localhost. The issue is on loadbalancers I think.

What you describe is typically not the result of loadbalancers but of
httpd: Most likely your container does not serve https responses, but
this is offloaded to httpd. This means that the application is always
hit from a reverse proxy over http. The proxy does the https part. The
application container will return however correct http/https links
through the HST (assuming you correctly set the hst:scheme as
described in the documentation) as the HST is aware about the browser
scheme that was used. However, to be able to do so, you need to
configure your httpd to add information (X-Forwarded-Proto) about the
used scheme. Personally mine looked something like below. With that,
you should not need to create fully qualified URLs as described by
Woonsan.

<VirtualHost *:443>
ServerName www.example.com

# SSL Engine
SSLEngine on

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256??????????????????????????????
BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown

<Location />
Order deny,allow
Allow from all
</Location>

RequestHeader set X-Forwarded-Proto https

ProxyPreserveHost On

ProxyPass / http://127.0.0.1:8080/site/
ProxyPassReverse / http://127.0.0.1:8080/site/
ProxyPassReverseCookiePath /site /
</VirtualHost>

>> >>>> > > > <mailto:hippo-communi...@googlegroups.com

>> >>>> > > <mailto:hippo-communi...@googlegroups.com

>> >>>> > <mailto:hippo-communi...@googlegroups.com>.

[Vangelis Papathanasiou]

Thank you Ard. I made it work. 

>> >>>> >     >     > <mailto:hippo-community+unsub...@googlegroups.com

>> >>>> >     > <mailto:hippo-community+unsub...@googlegroups.com

>> >>>> > <mailto:hippo-community+unsub...@googlegroups.com>.