[jetty-users] ForwardedRequestCustomizer and Request.recycle()

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jetty-users] ForwardedRequestCustomizer and Request.recycle()

Carey Evans
Hi all.

I'm working on some strange behaviour that we're seeing with Jetty 9.0.6
behind a reverse proxy, which sets X-Forwarded-Proto to "http" or
"https", which is picked up by the default ForwardedRequestCustomizer to
set the scheme on the Request object. So far, this is working fine,
although terminating HTTPS on the reverse proxy feels a bit dodgy.

However, we're having random and hard to reproduce problems where a
request seems to get stuck as secure, even when X-Forwarded-Proto is
"http". Correct me if I'm wrong, but it looks like this is happening:

- The Request object's secure flag is set to true when X-Forwarded-Proto
is "https".

- After the request is handled, the recycle() method is called, but in
9.0.6 the secure flag is not changed.
(http://download.eclipse.org/jetty/stable-9/xref/org/eclipse/jetty/server/Request.html#1500)

- The next HTTP request on the channel has X-Forwarded-Proto set to
"http", but ForwardedRequestCustomiser doesn't set the secure flag back
to false either.

Am I missing something, or should either recycle() or
ForwardedRequestCustomiser be resetting the secure flag?


--
  Carey Evans
  [hidden email]
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users