Redirecting HTTP to HTTPS in JBoss EAP 7
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.x
Issue
- Need to always redirect users from HTTP to HTTPS for security.
- How to redirect users from HTTP to HTTPS on ports 8080 and 8081?
- How to redirect users from HTTP to HTTPS for a specific domain (Host)?
Resolution
A rewrite rule can be used to redirect users. In the undertow subsystem (standalone*.xml or domain.xml) one will need to create a new rewrite filter and then enable the filter in a new filter-ref. Here are the JBoss CLI commands for the same configuration:
/subsystem=undertow/configuration=filter/rewrite=http-to-https:add(redirect="true",target="https://myhostname:443%U")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=http-to-https:add(predicate="equals(%p,8080)")
This is a thoroughly explanation for each command and how it reflects on the Undertow subsystem in the configuration files (standalone*.xml or domain.xml):
-
The first command creates the new
rewritefilter in thefilterssection. In the example below, users will be redirected tohttps://myhostname:443/my-app.%Uis a place-holder for the original request URL path; the usage of%Uis to make the redirect friendly and keep users' original request URL path.<filters> ... <rewrite name="http-to-https" redirect="true" target="https://myhostname:443%U"/> </filters> -
The second command, enables the filter and configure a predicate in the
hostsection. The predicate is where to configure what therewritefilter applies to. In the example below, ourrewritefilter will only apply to requests going toport8080.<server name="default-server"> <host name="default-host" alias="localhost"> ... <filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
The predicate can be created using attributes and Undertow's built in operators, as well as, Boolean operators. Thus, to redirect from port 8080 and port 8081 the following command can be used:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=http-to-https:add(predicate="equals(%p,8080) or equals(%p,8081)")
Which is reflected on the configuration files (standalone*.xml or domain.xml) as:
<filter-ref name="http-to-https" predicate="equals(%p,8080) or equals(%p,8081)"/>
To redirect users of a specific domain e.g. example.com only & not other users, you can add the following regex.
/subsystem=undertow/configuration=filter/rewrite=http-to-https:add(redirect="true",target="https://example.com%U")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=http-to-https:add(predicate="regex(pattern='example.com', value=%{i,Host}, full-match=true) and equals(%p,8080)")
This is reflected on the configuration files (standalone*.xml or domain.xml) as:
<filters>
...
<rewrite name="http-to-https" redirect="true" target="https://example.com%U"/>
</filters>
<server name="default-server">
<host name="default-host" alias="localhost">
...
<filter-ref name="http-to-https" predicate="regex(pattern='example.com', value=%{i,Host}, full-match=true) and equals(%p,8080)"/>
Other built-in operators and exchange attributes can be found on Content from undertow.io is not included.Undertow's Predicates Attributes-handlers
Diagnostic Steps
Check if the redirect is working properly by sending a request to the plain HTTP port. Check the Location header of the response to confirm the rewrite is working properly:
# curl -I http://localhost:8080/sample
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Location: https://localhost:8443/sample
Content-Length: 0
Date: Thu, 02 Feb 2017 22:56:34 GMT
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.