Home > Software engineering >  Upgrade from spring-boot 2.4.4 to 2.5.9 cause X-Forwarded not to be taken
Upgrade from spring-boot 2.4.4 to 2.5.9 cause X-Forwarded not to be taken

Time:03-16

We are in the process of updating our dependencies. We recently updated spring-boot from 2.4.4 to 2.5.9.

Since then we cannot test a portion of our functionality locally. This involves custom domain passed using proxies. We have the following setup locally:

**Nginx proxy** (local.alavoie.mytestdomain.com which points to 127.0.0.1 listening on 443)
 |
 |
**NPM app** with proxy table (listening on 0.0.0.0 8080)
 |
 |
**Spring-boot app** (listening on 0.0.0.0 8081)

When we use request.getServerName(), it now returns localhost instead of the url provided local.alavoie.mytestdomain.com

From my investigation, the issue starts as soon as I update to spring-boot 2.5.x. All version of 2.4.x are working.

The tomcat updated dependency does not give any problems. From what i could find, the RemoteIpValve does not get added to the tomcat engine pipeline for the request.

Here is my nginx config

# configuration file /usr/local/etc/nginx/nginx.conf:
#worker_processes  1;

events {
    worker_connections  1024;
}

http {
  server {
      listen 80;
      server_name *.alavoie.mytestdomain.com;
      return 301 https://$host$request_uri;
  }

  server {
      listen 443 ssl;

      client_max_body_size 5G;

      ssl_certificate /users/alavoie/ssl/certificate.pem;
      ssl_certificate_key /users/alavoie/ssl/key.pem;
      ssl_protocols TLSv1.2  TLSv1.3;
      ssl_prefer_server_ciphers on;
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

      add_header Strict-Transport-Security "max-age=63072000" always;

      location / {

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Server  $host;
        proxy_set_header        X-Forwarded-Host    $host;
        proxy_set_header        X-Forwarded-For     $remote_addr;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        # Fix the “It appears that your reverse proxy set up is broken" error.
        proxy_pass          http://localhost:8081;
        proxy_read_timeout  90;
      }
  }

  # General settings
  #
  access_log off;

  server_tokens off;

  ##
  # Proxy settings
  #
  proxy_buffering    off;
  proxy_buffer_size  128k;
  proxy_buffers 100  128k;
  proxy_headers_hash_bucket_size 128;

  ##
  # gzip settings
  #
  gzip on;
  gzip_disable "msie6";
}

Here is our npm proxy table.

'use strict'
// Template version: 1.2.5
// see http://vuejs-templates.github.io/webpack for documentation.

const path = require('path')

module.exports = {
  dev: {

    // Paths
    assetsSubDirectory: 'static',
    assetsPublicPath: '/',
    proxyTable: {
      '/rest/**': {
        target: 'http://localhost:8080',
        logLevel: 'debug'
      },
      '/api/**': 'http://localhost:8080',
      '/assets/**': 'http://localhost:8080',
      '/auth/*': {
        target: 'http://localhost:8080', 
        changeOrigin: true,
        logLevel: 'debug'
      },
      '/login/twofactor': {
        target: 'http://localhost:8080', 
        changeOrigin: true,
        logLevel: 'debug'
      },
      '/socket': {
        target: 'ws://localhost:8080',
        ws: true,
      },
    },

    // Various Dev Server settings
    host: '0.0.0.0', // can be overwritten by process.env.HOST
    port: 8081, // can be overwritten by process.env.PORT, if port is in use, a free one will be determined
    autoOpenBrowser: false,
    errorOverlay: true,
    notifyOnErrors: true,
    poll: false, // https://webpack.js.org/configuration/dev-server/#devserver-watchoptions-

    // Use Eslint Loader?
    // If true, your code will be linted during bundling and
    // linting errors and warnings will be shown in the console.
    useEslint: true,
    // If true, eslint errors and warnings will also be shown in the error overlay
    // in the browser.
    showEslintErrorsInOverlay: false,

    /**
     * Source Maps
     */

    // https://webpack.js.org/configuration/devtool/#development
    devtool: 'eval-source-map',

    // If you have problems debugging vue-files in devtools,
    // set this to false - it *may* help
    // https://vue-loader.vuejs.org/en/options.html#cachebusting
    cacheBusting: true,

    // CSS Sourcemaps off by default because relative paths are "buggy"
    // with this option, according to the CSS-Loader README
    // (https://github.com/webpack/css-loader#sourcemaps)
    // In our experience, they generally work as expected,
    // just be aware of this issue when enabling this option.
    cssSourceMap: false,
  },

  build: {
    // Template for index.html
    index: path.resolve(__dirname, '../dist/index.html'),

    // Paths
    assetsRoot: path.resolve(__dirname, '../dist'),
    assetsSubDirectory: 'static',
    assetsPublicPath: '/',

    /**
     * Source Maps
     */

    productionSourceMap: true,
    // https://webpack.js.org/configuration/devtool/#production
    devtool: '#source-map',

    // Gzip off by default as many popular static hosts such as
    // Surge or Netlify already gzip all static assets for you.
    // Before setting to `true`, make sure to:
    // npm install --save-dev compression-webpack-plugin
    productionGzip: false,
    productionGzipExtensions: ['js', 'css'],

    // Run the build command with an extra argument to
    // View the bundle analyzer report after build finishes:
    // `npm run build --report`
    // Set to `true` or `false` to always turn it on or off
    bundleAnalyzerReport: process.env.npm_config_report
  }
}

I am running everything on a Mac. Can anyone help me figure out what we are doing wrong

CodePudding user response:

If run behind frontend server and proxy use Forwarded Headers. Providing information on initial request.

For your configuration set:

server.forward-headers-strategy=NATIVE
 OR
server.forward-headers-strategy=FRAMEWORK

ref: https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html cap 3.12.

ref: https://datatracker.ietf.org/doc/html/rfc7239

  • Related