Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

IG (All versions) redirects to HTTP when a reverse proxy or load balancer is doing SSL/TLS offloading

Last updated Jun 8, 2021

The purpose of this article is to provide assistance if IG redirects to a URL using the http protocol instead of the expected https protocol. End-users may see "The information you're about to submit is not secure" warnings in the Chrome™ browser and you may see "SSL is required in order to perform this operation" in the logs as well. This issue occurs when IG is protecting a resource using OIDC with a reverse proxy or load balancer (such as Nginx) doing SSL/TLS offloading in front of IG.

Symptoms

After IG redirects to AM during the OIDC flow, you notice that the redirect_uri parameter shows a URL that uses the http protocol instead of https.

End-users using the Chrome browser may see the following in their browsers when they are authenticating:

The information you're about to submit is not secure.

The following error may be shown in the route -auth log when this happens:

10:29:16:889 | ERROR | http-bio-8080-exec-4 | o.f.o.f.o.c.OAuth2ClientFilter | error="invalid_request", error_description="SSL is required in order to perform this operation"

Recent Changes

Configured IG to use OIDC.

Configured a reverse proxy or load balancer in front of IG to offload SSL/TLS.

End-users have upgraded to Chrome 88.

Causes

When OAuth2 is being used with IG (via the OAuth2ClientFilter), IG sees the request in HTTP and consequently sets the redirect_uri to the HTTP version. This causes an error because the redirect_uri is configured for an HTTPS URL. This is a known issue: OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS), which has been addressed in IG 7.0.2 and later.

Chrome 88 introduces warnings on forms that directly submit to http:// or that redirect to http:// with the form data preserved through the redirect. See Issue 1158169: Form is not Secure issue on new version for Chrome for further information.

Solution

This issue can be resolved using one of the following options depending on what version you are using:

  • IG 7.0.2 and later: Configure a route with the ForwardedRequestFilter to change the original URI. It is suitable for both IG in web container mode and in standalone mode. See ForwardedRequestFilter for further information.
  • Pre-IG 7.0.2: you can use one of the following options, although upgrading is the preferred approach:
    • Upgrade to IG 7.0.2 or later; you can download this from BackStage. Once you have upgraded, you should use the ForwardedRequestFilter to change the original URI. 
    • Configure Apache Tomcat™ for SSL offloading - this option is simple to implement. It is suitable if all routes have the same external URL and you have deployed IG on Tomcat.
    • Configure a route with a ScriptableFilter to manipulate the originalUri value - this option allows per route definition but is more complex to set up. It is suitable for both IG in web container mode and in standalone mode (IG 7 and later).

Configure Tomcat for SSL offloading

You can configure Tomcat for SSL offloading by specifying the proxyName, proxyPort and scheme attributes in the <Connector> element in the server.xml file, for example:

<Connector     port="8080"       protocol="HTTP/1.1"       connectionTimeout="20000"       redirectPort="8443"        proxyName="proxy.example.com"       proxyPort="443"       scheme="https" />

See Apache Tomcat 8 - Proxy Support How-To for further information.

Configure a route with a ScriptableFilter

You can configure a route with a ScriptableFilter to reconstruct the UriContext using the original URL details (originalUri). The originalUri is used when creating the redirection URI. For example, your ScriptableFilter would look similar to this:

{           "type": "ScriptableFilter",           "name": "RequestRebaserFilter",           "comment": "Rebase the request to use the original scheme, host and port",           "config": {             "type": "application/x-groovy",             "source": [               "Request newRequest = new Request(request);",               "org.forgerock.util.Utils.closeSilently(request);",               "newRequest.uri.scheme = request.headers['X-Forwarded-Proto'].firstValue",               "newRequest.uri.host = request.headers['X-Forwarded-Host'].firstValue",               "newRequest.uri.port = request.headers['X-Forwarded-Port'].firstValue as Integer",               "newRequest.headers['Host'] = newRequest.uri.host;",               "logger.info('Received request : ' + request.uri + ' rebased to ' + newRequest.uri);",               "Context newRoutingContext = org.forgerock.http.routing.UriRouterContext.uriRouterContext(context).originalUri(newRequest.uri.asURI()).build();",               "return next.handle(newRoutingContext, newRequest);"             ]           }         }

Essentially, the script take the X-Forwarded headers, rewrites the originalUri and sets that in the Location header.

See Also

OAuth2ClientFilter

Preparing IG for ForgeRock Service Broker

Related Training

N/A

Related Issue Tracker IDs

OPENIG-3913 (Provide more flexibility around the generation of the OAuth2ClientFilter clientEndpoint URIs)

OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS)

OPENIG-2571 (OAuth2ResourceServerFilter requireHttps=true applies to rebased request URI)

OPENIG-1664 (Provide support for basic URI path rewriting)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.