Solutions

IG (All versions) redirects to HTTP when a reverse proxy or load balancer is doing SSL/TLS offloading

Last updated Jan 7, 2021

The purpose of this article is to provide assistance if IG redirects to a URL using the http protocol instead of the expected https protocol. End-users may see "The information you're about to submit is not secure" warnings in the Chrome™ browser and you may see "SSL is required in order to perform this operation" in the logs as well. This issue occurs when IG is protecting a resource using OIDC with a reverse proxy or load balancer (such as Nginx) doing SSL/TLS offloading in front of IG.


Symptoms

After IG redirects to AM during the OIDC flow, you notice that the redirect_uri parameter shows a URL that uses the http protocol instead of https.

End-users using the Chrome browser may see the following in their browsers when they are authenticating:

The information you're about to submit is not secure.

The following error may be shown in the route -auth log when this happens:

10:29:16:889 | ERROR | http-bio-8080-exec-4 | o.f.o.f.o.c.OAuth2ClientFilter | error="invalid_request", error_description="SSL is required in order to perform this operation"

Recent Changes

Configured IG to use OIDC.

Configured a reverse proxy or load balancer in front of IG to offload SSL/TLS.

End-users have upgraded to Chrome 88.

Causes

When OAuth2 is being used with IG (via the OAuth2ClientFilter), IG sees the request in HTTP and consequently sets the redirect_uri to the HTTP version. This causes an error because the redirect_uri is configured for an HTTPS URL. This is a known issue: OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS).

Chrome 88 introduces warnings on forms that directly submit to http:// or that redirect to http:// with the form data preserved through the redirect. See Issue 1158169: Form is not Secure issue on new version for Chrome for further information.

Solution

This issue can be resolved using one of the following options:

  • Configure Apache Tomcat™ for SSL offloading - this option is simple to implement. It is suitable if all routes have the same external URL and you have deployed IG on Tomcat.
  • Configure a route with a ScriptableFilter to manipulate the originalUri value - this option allows per route definition but is more complex to set up. It is suitable for both IG in web container mode and in standalone mode (IG 7 and later).

Configure Tomcat for SSL offloading

You can configure Tomcat for SSL offloading by specifying the proxyName, proxyPort and scheme attributes in the <Connector> element in the server.xml file, for example:

<Connector       port="8080"       protocol="HTTP/1.1"       connectionTimeout="20000"       redirectPort="8443"        proxyName="proxy.example.com"       proxyPort="443"       scheme="https" />

See Apache Tomcat 8 - Proxy Support How-To for further information.

Configure a route with a ScriptableFilter

You can configure a route with a ScriptableFilter to reconstruct the UriContext using the original URL details (originalUri). The originalUri is used when creating the redirection URI. For example, your ScriptableFilter would look similar to this:

 {           "type": "ScriptableFilter",           "name": "RequestRebaserFilter",           "comment": "Rebase the request to use the original scheme, host and port",           "config": {             "type": "application/x-groovy",             "source": [               "Request newRequest = new Request(request);",               "org.forgerock.util.Utils.closeSilently(request);",               "newRequest.uri.scheme = request.headers['X-Forwarded-Proto'].firstValue",               "newRequest.uri.host = request.headers['X-Forwarded-Host'].firstValue",               "newRequest.uri.port = request.headers['X-Forwarded-Port'].firstValue as Integer",               "newRequest.headers['Host'] = newRequest.uri.host;",               "logger.info('Received request : ' + request.uri + ' rebased to ' + newRequest.uri);",               "Context newRoutingContext = org.forgerock.http.routing.UriRouterContext.uriRouterContext(context).originalUri(newRequest.uri.asURI()).build();",               "return next.handle(newRoutingContext, newRequest);"             ]           }         },

Essentially, the script take the X-Forwarded headers, rewrites the originalUri and sets that in the Location header.

See Also

Configuration Reference › OAuth2ClientFilter

User Guide › Preparing IG for ForgeRock Service Broker

Related Training

N/A

Related Issue Tracker IDs

OPENIG-3913 (Provide more flexibility around the generation of the OAuth2ClientFilter clientEndpoint URIs)

OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS)

OPENIG-2571 (OAuth2ResourceServerFilter requireHttps=true applies to rebased request URI)

OPENIG-1664 (Provide support for basic URI path rewriting)



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...