[LPS-98254] X-Forwarded-* headers are not being honored when main.servlet.https.required is set to true - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 7.0.X, 7.1.X, 7.2.X, Master
Fix Version/s: 7.1.10 DXP FP13, 7.1.X, 7.2.10 DXP FP1, 7.2.X, 7.2.1 CE GA2, 7.3.10 DXP GA1, Master
Component/s: Application Security > Auth Verifiers
Labels:

Branch Version/s:

7.2.x, 7.1.x
Backported to Branch:

Committed
Fix Priority:
3
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/76585

Description

Description
When the portal property: main.servlet.https.required is set to true, X-Forwarded-* headers are not being honored, which may result in improper redirects.

Also, the portal property: portal.proxy.path is not being accounted for as well, for the resulting redirects.

Steps to Reproduce

Setup a proxy server with SSL Offloading

Sample httpd-vhosts.conf (Apache Httpd)

<VirtualHost *:443>
    ProxyPreserveHost On

    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/dummy-server.crt"
    SSLCertificateKeyFile "/usr/local/apache2/conf/dummy-server.key"

    RequestHeader set X-Forwarded-Proto https

    ProxyPass /liferay http://172.17.0.1:8080
    ProxyPassReverse /liferay http://172.17.0.1:8080
</VirtualHost>

Accommodate SSLCertificateFile and SSLCertificateKeyFile accordingly
- Reference: Here are links to the dummy cert I used for my testing, in case it's helpful:
  - dummy-server.crt
  - dummy-server.key
Replace 172.17.0.1 with the IP address to your Liferay instance

Configure Liferay to work with the proxy server

Sample portal-ext.properties:

web.server.https.port=443
web.server.protocol=https
portal.proxy.path=/liferay

web.server.forwarded.protocol.enabled=true

Startup Liferay and Apache Httpd
Navigate to https://[PROXY-SERVER-IP]/liferay
- Replace [PROXY-SERVER-IP] with your proxy server's IP
Notice that Liferay loads as expected

Modify portal-ext.properties to include main.servlet.https.required:

web.server.https.port=443
web.server.protocol=https
portal.proxy.path=/liferay

web.server.forwarded.protocol.enabled=true
main.servlet.https.required=true

Restart Liferay
Navigate to https://[PROXY-SERVER-IP]/liferay
- Replace [PROXY-SERVER-IP] with your proxy server's IP

Expected Result: The redirect should occur successfully and the portal can be accessed.
Actual Result: Error message appears in the browser, due to improper redirects.

Attachments

Activity

People

Assignee:: Joshua Itagaki

Reporter:: Eric Yan

Participants of an Issue:: Eric Yan, Joshua Itagaki, Tibor Lipusz

Recent user:: Jason Pince

Engineering Assignee:: Eric Yan

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/Jul/19 11:58 AM

Updated:: 05/Oct/20 4:16 PM

Resolved:: 05/Aug/19 9:04 PM

Days since last comment:: 1 year, 29 weeks, 6 days ago

Packages

Version	Package
7.1.10 DXP FP13
7.1.X
7.2.10 DXP FP1
7.2.X
7.2.1 CE GA2
7.3.10 DXP GA1
Master