background
-
Service deployment and jump are shown as follows:
-
The user requests to load the specified application through Alibaba cloud through http. The application returns the jump path (status 302), but the jump path is http (not https), so it cannot be accessed
2.1 jump pseudo code:// ModelAndView mv.setViewName(WebCst.REDIRECT + "/admin/sso/login");
2.2 screenshot of browser jump
Conclusion summary
-
The Location returned to the browser with nginx load is https because nginx has been processed. See the following for key configurations
proxy_set_header Host $host; proxy_redirect http:// https://;
1.1 use the trace command of arthas to observe the line, and the Location returned directly by the application is http://localhost:8232/exp-admin/admin/sso/login
watch org.apache.catalina.connector.Response toAbsolute -x 2
-
After replacing nginx with SLB, the load returned to the browser becomes http because SLB lacks corresponding configuration
2.1 SLB related configurations: https://help.aliyun.com/document_detail/97646.html
How is the jump Location generated
-
The background is developed by springboot. The following analysis is based on springboot
-
Let's first show how spring MVC works
2.1 our jump settings are: mv.setViewName(WebCst.REDIRECT + "/ admin/sso/login"); Combined with the above figure, guess to jump according to the view
2.2 the view parser ContentNegotiatingViewResolver parses the view through resolveViewName to get the jump view: RedirectView, and calls its render to jump -
Jump analysis with RedirectView#render
3.1 the following figure shows the Location obtained by distinguishing whether it is compatible with http1.0(http10Compatible)
(1) The default is compatible with http1.0, so response.sendredirect (encoded URL);
(2) Response.sendRedirect (encoded URL) will eventually trigger the sendRedirect method of tomcat's org.apache.catalina.connector.Response
public void sendRedirect(String location, int status) throws IOException { locationUri = toAbsolute(location); setStatus(status); setHeader("Location", locationUri); //Set the location of the jump }
3.2 entry generated by jump Location: org.apache.catalina.connector.Response#toAbsolute
// Obtain the protocol, IP and port information from the request, and then splice it with the set relative path protected String toAbsolute(String location) { String scheme = request.getScheme(); String name = request.getServerName(); int port = request.getServerPort(); redirectURLCC.append(scheme, 0, scheme.length()); redirectURLCC.append("://", 0, 3); redirectURLCC.append(name, 0, name.length()); if ((scheme.equals("http") && port != 80) || (scheme.equals("https") && port != 443)) { redirectURLCC.append(':'); String portS = port + ""; redirectURLCC.append(portS, 0, portS.length()); } redirectURLCC.append(location, 0, location.length()); }
Where is the protocol information generated in the Request
- According to the call stack, when the ConnectionHandler processes the connection, it performs differential processing according to SocketEvent
- Process open in Http11Processor_ The read event preprocesses the request
public SocketState service(SocketWrapperBase<?> socketWrapper) throws IOException { prepareRequestProtocol(); //Set to http1.1 prepareRequest(); //Processing protocol (http or https) getAdapter().service(request, response); //Dispatcher after calling }
- Judge whether SSL is enabled in prepareRequest. If it is enabled, it is https
private void prepareRequest() throws IOException { if (protocol.isSSLEnabled()) { request.scheme().setString("https"); } }
nginx settings for jump
- Jump description on nginx official website: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
- Sets the text changed in the Location header field of the proxy server response.
2.1 suppose the proxy server returns the header field "Location: http://localhost:8000/two/some/uri/ ”. The instruction proxy_ redirect http://localhost:8000/two/ http://frontend/one/ ; Rewrite this string to "Location: http://frontend/one/some/uri/ ”.
2.2 the configuration on nginx that can jump normally is as follows to convert http to Httpsproxy_set_header Host $host; proxy_redirect http:// https://;
- Local application SSL configuration: https://zhuanlan.zhihu.com/p/31385073
#https port number server.port: 443 #Path to the certificate server.ssl.key-store: tomcat.keystore #Certificate password, please change it to your own certificate password server.ssl.key-store-password: 123456 #Keystore type server.ssl.keyStoreType: PKCS12 #Certificate alias server.ssl.keyAlias: tomcat