Hi, I built and deployed service-proxy-war-4.8.3.war on Tomcat 9.0.48 running on openjdk version 1.8.0_302 (zulu JRE build 1.8.0_302-b08). I set up proxies.xml to reverse proxy an IIS 10.0 WCF SSL endpoint. What I noticed is when I use curl -v to look at the response headers, the headers are different than what is returned by accessing the IIS endpoint directly. For comparison, I set up an Apache httpd reverse proxy and looked at its response headers using curl -v. The results between the 3 responses to curl are below. The response headers from IIS and the httpd reverse proxy are the same, but the membrane reverse proxy appears to add & duplicate header data. Is this expected? Why is the behavior different between httpd and membrane?
Thanks!
-Andy
curl -v response results:
IIS direct
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Sun, 14 Nov 2021 17:58:04 GMT
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
httpd reverse proxy
ProxyPreserveHost On
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Sun, 14 Nov 2021 17:55:12 GMT
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
membrane reverse proxy (tomcat webapp)
<serviceProxy>
<target host="FQDN" port="9443">
<ssl />
</target>
</serviceProxy>
HTTP/1.1 200
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Cache-Control: private
Content-Type: application/json;charset=utf-8
Date: Sun, 14 Nov 2021 18:51:11 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000;includeSubDomains
Transfer-Encoding: chunked
vary: Origin
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block