Load balancer SSL termination with spring security

Question

I have a web app with a Spring Security filter running on Tomcat. The app is deployed on an internal network and accepts incoming connections only from within this network. Assume this is machine srv_host.

Another machine lb_host within the same network hosts a load balancer (HAProxy). It accepts HTTPS connections from the outside world and terminates the SSL connection. It then redirects the call to the web app on srv_host via plain HTTP.

The Spring Security filter on srv_host checks for an auth token. If absent, it stores the original requested URL and then redirects to the login page. Once login is successful, it uses the stored URL to redirect back to the requested page.

The problem is that the stored URL is http://srv_host/... instead of https://lb_host/.... All future calls then start going through HTTP instead of HTTPS.

Is there any way to extract the original URL before the load-balancer does its work? I tried accessing the X-Forwarded-For header, but it is not set. Is there any specific configuration required to set this header? Also, are there any Spring Security settings to handle all this automatically?

Note: I found the question Offloading https to load balancers with Spring Security, but I can't understand the steps at all. Some more detail and/or steps would be very welcome.

Let me know if any additional details are needed.

Answer 1

You can set the header in haproxy using "option forwardfor". I point you to the Haproxy 1.5 documentation as you imply that it terminates SSL, which is supported since v1.5. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-option%20forwardfor