Arun Arun - 2 months ago 26
HTTP Question

strange http redirection loop nginx to glassfish upstream when basic authentication is enabled

I have a cluster glassfish instance running in Ubuntu 12.04 server with nginx as the front-end.
I have configured glassfish upstream in nginx conf file and proxy params are all set.

nginx.conf
glassfish_custer ( upstream name )


Now the problem is,

I added a file realm in glassfish with username and password entries to enable basic authentication for one of my applications.
I added necessary login config params in web.xml file, bundled war and deployed in glassfish server and when I fire url,

http://domain.com/application


It falls in redirect loop

https://domain.com/application


It happens only when I enable basic authentication. If I switch off, everything is working as expected.

I think I need to set some proxy header params and change auth settings in glassfish admin console for http listener ?

If anyone experienced this issue before, Please let me know....

In short, How to make basic authentication works in nginx load balancer with glassfish as the upstream

UPDATE 1:
nginx.conf


## http redirects to https ##
server {
#listen [::]:80;
listen 80;
server_name domain.com www.domain.com;

location / {
try_files $uri $uri/ @backend;
}

location @backend {
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header x-forwarded-for $remote_addr;
proxy_pass http://glassfish_servers;
proxy_intercept_errors on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}

# Strict Transport Security
# add_header Strict-Transport-Security max-age=2592000;
# rewrite ^/.*$ https://$host$request_uri? permanent;
}

server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name domain.com www.domain.com;

location / {
try_files $uri $uri/ @backend;
}

## default location ##
location @backend {
proxy_buffering off;
proxy_pass http://glassfish_servers;
proxy_intercept_errors on;

#proxy_http_version 1.1;
#proxy_set_header Connection "";

# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

# set headers
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
#proxy_redirect off;
}
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/domain_com.key;

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!$

}

Answer

Answering my own question.

Having this xml configuration in web.xml was the root cause of the redirection loop. Since I added "CONFIDENTIAL" as the authority value, http request were getting redirected to https when request hit backend glassfish instance. I changed this value to "NONE" and everything worked like charm.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>wholesale</web-resource-name>
        <url-pattern>/acme/wholesale/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>PARTNER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Make the following changes

Change <transport-guarantee>CONFIDENTIAL</transport-guarantee>

to

<transport-guarantee>NONE</transport-guarantee>

Also, make sure to set proper proxy header values in nginx conf file (or) if you configured sites conf files separately in sites-available folder, pls add the following proxy headers

proxy_set_header x-forwarded-for $remote_addr;
proxy_intercept_errors on;
proxy_set_header        X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;