Search code examples
webspherewebsphere-libertyhttp-redirect

Configuring Liberty with httpProxyRedirect

I am attempting to redirect traffic on insecure port to secure port as described here: https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html

Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all. 

<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
    <!-- Enable features -->
    <featureManager>
        <feature>webProfile-7.0</feature>
    </featureManager>

    <application id="app" context-root="/" type="war" location="${war.name}">
        <classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
    </application>

    <httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />

    <keyStore id="defaultKeyStore" password="pass" />
    <httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />

    <applicationMonitor updateTrigger="mbean" />
</server>
Solution

  • Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html

    Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:

    <httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />

    With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.

    Hope this helps, Andy