Enabling HTTPS with Spring Security : This webpage has a redirect loop
Your HTTPS connection is handled by NGINX. The connection to your application is a HTTP connection. So basically secure on the outside, insecure on the inside.
Spring Security uses the isSecure()
method from the ServletRequest to determine if it is a secure, by default this checks the protocol to be https.
As you are using tomcat you can configure an additional valve, the RemoteIpValue3 to influence the behavior of the isSecure()
, getRemoteAddr()
methods (and some others).
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192\.168\.0\.10|192\.168\.0\.11" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
Add the above to the <Host >
element (ofcourse you might need to remove/modify the internal proxies parameter).
In your Nginx configuration add the X-Forwarded-proto header.
location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Front-End-Https on; proxy_set_header Host $http_host;}
Or simply remove the checks for a secure channel and assume everything is ok...
Links
- ServletRequest.isSecure javadoc
- RemoteIpValve javadoc
- NGinx SSL Proxy