[1.2.4] 2*Play, Lighttpd, and SSL Login Problems

[Jake Wharton]

I am serving a site over SSL only via a Lighttpd proxy backed by two 1.2.4 instances running HTTP on 9001 and 9002 respectively. With this configuration I'm experiencing some issues attempting to log in through the proxy.

Authentication occurs fine (confirmed via logging) but the response is never received by the client. Logging in via one of the play ports works fine.

I'm also unable to get secure cookies to work using this method. Is this because the proxy to play connection is over HTTP? Should I worry about not having them encrypted or is the forced SSL enough?

Here's my Lighttpd config:

$SERVER["socket"] == ":443" {

  ssl.engine  = "enable"

  ssl.pemfile = "/home/user/this.pem"

  ssl.ca-file = "/home/user/that.crt"

  $HTTP["host"] =~ "example.com" {

    proxy.balance = "round-robin"

    proxy.debug   = 1

    proxy.server  = (

     "/" => (

        ( "host" => "127.0.0.1", "port" => 9001 ),

        ( "host" => "127.0.0.1", "port" => 9002 )

      )

    )

  }

}

and the only changes to the default application.conf are:

application.session.cookie=SOMETHING

application.defaultCookieDomain=.champmove.com

Does anyone see anything wrong with the configuration? Or perhaps have an example of a working, SSL-only configuration?

[sun]

Usually you configure http and https on different ports in Play's
application.conf. Have you set http.port and https.port?

I used this code before I switched to the reverseproxy module:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"

ssl.pemfile = "/etc/lighttpd/certs/parapapi.pem"
}

$HTTP["scheme"] == "http" {
$HTTP["url"] =~ "^/((login)|(logout)|(secure)|(admin))" {
url.redirect = ( "^/(.*)" => "https://%1/$1" )
}
}
$HTTP["scheme"] == "https" {
$HTTP["url"] !~ "^/((login)|(logout)|(secure)|(admin))" {
$HTTP["referer"] !~ "^/((login)|(logout)|(secure)|(admin))" {
url.redirect = ( "^/(.*)" => "http://%1/$1" )
}
}
}

Happy old year!

[Jake Wharton]

I'm forcing the entire website to be SSL at the proxy level. I assumed that I could run the Play instances purely on HTTP since they'd only be connected to by Lighttpd and only by localhost. Is that not correct?

I also discovered that if I disable forced HTTPS and allow the round-robin on HTTP everything works fine. So it appears that it has something to do with redirects over SSL...

[Joseph Conley]

I have a similar situation where I have several Play! apps being served behind a lighttpd server.  Has anyone found a successful SSL configuration in lighttpd where all apps can have SSL enforced at the proxy level.  I've followed the standard Play! https setup and everything works as expected locally, but when I try to put the apps behind lighttpd, everything gets forwarded to localhost.  Should I be forwarding to the http port or https port?  Here's my conf:

#lighttpd conf

$SERVER["socket"] == ":443" { 

     ssl.engine                  = "enable" 

     ssl.pemfile                 = "host.pem" 

 } 

$HTTP["host"] =~ "example.com" { 

   proxy.balance = "round-robin" proxy.server = ("/app1" =>

( ( "host" => "127.0.0.1", "port" => 9443 ) ),

 "/app2" =>

( ( "host" => "127.0.0.1", "port" => 9444 ) )

   ) 

   

} 

} 

#app1's application.conf

http.port=9000

https.port=9443

certificate.key.file=conf/ssl/host.key

certificate.file=conf/ssl/host.cert

Any help/pointing in the right direction would be most appreciated, thanks!

[Samuel R]

Have you set the http://www.playframework.org/documentation/1.2.4/configuration#XForwardedSupport X-Forwarded-Support configuration option in the application.conf ?