spring-hateoas: x-forwarded-host & x-forwarded-prefix headers not working after project upgrade to Spring Boot 2.1
Had a working project, Spring boot / Spring data rest / Spring Hateos and after upgrade to Spring boot 2.1.3 it appears that x-forwarded-prefix and x-forwarded-host are not longer working. x-forwarded-proto and x-forwarded-port are working fine.
Broke it out into the simplest possible app demo.tar.gz to check and still couldn’t get it working.
If I run
http -v GET localhost:8081
the result is
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost:8081
User-Agent: HTTPie/0.9.8
HTTP/1.1 200
Content-Type: application/hal+json;charset=UTF-8
Date: Sat, 09 Mar 2019 18:21:59 GMT
Transfer-Encoding: chunked
{
"_links": {
"people": {
"href": "http://localhost:8081/people{?page,size,sort}",
"templated": true
},
"profile": {
"href": "http://localhost:8081/profile"
}
}
}
all ok so far, however when I try
http -v GET localhost:8081 x-forwarded-proto:https x-forwarded-host:example.com:9090 x-forwarded-port:9090 x-forwarded-prefix:/api
I get
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost:8081
User-Agent: HTTPie/0.9.8
x-forwarded-host: example.com:9090
x-forwarded-port: 9090
x-forwarded-prefix: /api
x-forwarded-proto: https
HTTP/1.1 200
Content-Type: application/hal+json;charset=UTF-8
Date: Sat, 09 Mar 2019 18:23:01 GMT
Transfer-Encoding: chunked
{
"_links": {
"people": {
"href": "https://localhost:9090/people{?page,size,sort}",
"templated": true
},
"profile": {
"href": "https://localhost:9090/profile"
}
}
}
I was expecting the links to be of the form https://example.com:9090/api/profile
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 3
- Comments: 25 (9 by maintainers)
Okay, a little extra digging has uncovered:
Spring Boot doesn’t currently support all the
X-Forwarded-*stuff through that property setting. The docs only listX-Forwarded-ForandX-Forwarded-Protosupported by the existing property. Additionally, there are issues with each container regarding these de facto standard headers. Track Boot’s support at => https://github.com/spring-projects/spring-boot/issues/5677That being said, to enable
X-Forwarded-*support, add this to your application:…and Spring Boot will pick up the filter bean and register it with your Spring MVC app. (I don’t have the WebFlux counterpart here).
…and see…
Bottom line: this should be added to the reference docs so you don’t have to dig around in the issues or stackoverflow to get it going.
@patbaumgartner I have had the same problem. The solution was to use the ForwardedHeaderFilter. You have to register it with the @Bean annotation.
@Bean public Filter forwardedHeaderFilter() { return new ForwardedHeaderFilter(); }https://docs.spring.io/spring/docs/5.1.3.RELEASE/spring-framework-reference/web.html#filters-forwarded-headers --> “There are security considerations…”
Unfortunately, I have the same issue with spring-data-rest. The x-forwarded-prefix was set in the request but spring-data-rest does not render it in the response.
Spring Boot 2.1.3 -> Spring Data Rest Starter
I need to add server.use-forward-headers=true and then only x-forwarded-host (host:port) is rendered in the hypermedia document. If I do not set the property the x-forwarded headers are ignored.
@GoldenToast well I’ll try it but that is what I thought the property I switched on above would do
To be precise, it’s Spring Framework 5.1 and Spring HATEOAS 0.25.1/1.0.0 that requires this shift.
Unless I have done something else wrong, it only half works, proto & port are fine, but host & prefix I can’t get to work
Sure I saw that so I used
server.use-forward-headers=trueto do it.