Determine user-facing url in a Java application behind a reverse proxy

Question

I have this complex Java application which is hosted behind a reverse-proxy.

What is the best practice to determine your user-facing url at the java application level when calling request.getServerName(), request.getServerPort() and friends ?

We are using Tomcat (but we might switch to an embedded jetty) behind an Apache mod_proxy (but we'll definitely switch to Amazon Elastic Load Balancer). I have listed 4 solutions:

1. Use apache mod_proxy to rewrite the 303 redirects. This is part of our current solution but is ruled out because not available with Elastic Load Balancer
2. Let the application server read the Host HTTP header of the request
3. Hardcode the application location at the application server level (example config in Tomcat)
4. Stop using the standard ServletRequest API. Instead have the full qualified name of the server in a config file and read this config from our code.

Our current solution :

• redirects are rewritten by mod_proxy (first approach)
• some other parts of the application use a path that we set in a config file (last approach)

I definitely need to stop using approach 1 and I would like to settle on one of the other three propositions.

EDIT: This can be summarized as :

• Can I trust request.getServerName() ?
• Is so, can I trust the Host HTTP header ?

Answer 1

you can trust the HOST header passed on by the mod_proxy on Tomcat if you configure tomcat to preserver the HOST from the request i.e. using Directive:

ProxyPreserveHost On