Response headers different between httpd and membrane reverse proxy

54 views
Skip to first unread message

Andy Arismendi

unread,
Nov 14, 2021, 3:01:49 PM11/14/21
to membrane-monitor
Hi, I built and deployed service-proxy-war-4.8.3.war on Tomcat 9.0.48 running on openjdk version 1.8.0_302 (zulu JRE build 1.8.0_302-b08). I set up proxies.xml to reverse proxy an IIS 10.0 WCF SSL endpoint. What I noticed is when I use curl -v to look at the response headers, the headers are different than what is returned by accessing the IIS endpoint directly. For comparison, I set up an Apache httpd reverse proxy and looked at its response headers using curl -v. The results between the 3 responses to curl are below. The response headers from IIS and the httpd reverse proxy are the same, but the membrane reverse proxy appears to add & duplicate header data. Is this expected? Why is the behavior different between httpd and membrane? 

Thanks!
-Andy

curl -v response results:

IIS direct

  HTTP/1.1 200 OK
  Cache-Control: private
  Content-Type: application/json; charset=utf-8
  Date: Sun, 14 Nov 2021 17:58:04 GMT
  Server: Microsoft-IIS/10.0
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Transfer-Encoding: chunked
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1

httpd reverse proxy

  ProxyPreserveHost On
  ProxyPass / https://FQDN:9443/
  ProxyPassReverse / https://FQDN:9443/

  HTTP/1.1 200 OK
  Cache-Control: private
  Content-Type: application/json; charset=utf-8
  Date: Sun, 14 Nov 2021 17:55:12 GMT
  Server: Microsoft-IIS/10.0
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Transfer-Encoding: chunked
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1

membrane reverse proxy (tomcat webapp)

  <serviceProxy>
    <target host="FQDN" port="9443">
      <ssl />
    </target>
  </serviceProxy>

  HTTP/1.1 200
  Access-Control-Allow-Credentials: true
  Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
  Cache-Control: private
  Content-Type: application/json;charset=utf-8
  Date: Sun, 14 Nov 2021 18:51:11 GMT
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Strict-Transport-Security: max-age=31536000;includeSubDomains
  Transfer-Encoding: chunked
  vary: Origin
  X-Content-Type-Options: nosniff
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1
  X-XSS-Protection: 1; mode=block

Reply all
Reply to author
Forward
0 new messages