Issue #5443 - Forwarding Headers are optional

+ Improve / document implied secure scheme behaviors for both `Proxy-Ssl-Id` or `Proxy-auth-cert` Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
jetty · Oct 13, 2020 · abdada0 · abdada0
1 parent f0681b3
commit abdada0
Showing 1 changed file with 21 additions and 8 deletions.
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java
@@ -481,8 +481,6 @@ public void customize(Connector connector, HttpConfiguration config, Request req
 
         if (match)
         {
-            String proto;
-
             // Is secure status configured from headers?
             if (forwarded.isSecure())
             {
@@ -492,8 +490,12 @@ public void customize(Connector connector, HttpConfiguration config, Request req
             // Set Scheme from configured protocol
             if (forwarded._proto != null)
             {
-                proto = forwarded._proto;
-                request.setScheme(proto);
+                request.setScheme(forwarded._proto);
+            }
+            // Set scheme if header implies secure scheme is to be used (see #isSslIsSecure())
+            else if (forwarded._secureScheme)
+            {
+                request.setScheme(config.getSecureScheme());
             }
 
             // Set authority
@@ -741,6 +743,7 @@ private class Forwarded extends QuotedCSVParser
         String _proto;
         Source _protoSource = Source.UNSET;
         Boolean _secure;
+        boolean _secureScheme = false;
 
         public Forwarded(Request request, HttpConfiguration config)
         {
@@ -784,25 +787,35 @@ private MutableHostPort getFor()
             return _for;
         }
 
-        @SuppressWarnings("unused")
+        /**
+         * Called if header is <code>Proxy-auth-cert</code>
+         */
         public void handleCipherSuite(HttpField field)
         {
             _request.setAttribute("javax.servlet.request.cipher_suite", field.getValue());
+
+            // Is ForwardingRequestCustomizer configured to trigger isSecure and scheme change on this header?
             if (isSslIsSecure())
             {
                 _secure = true;
-                _proto = "https";
+                // track desire for secure scheme, actual protocol will be resolved later.
+                _secureScheme = true;
             }
         }
 
-        @SuppressWarnings("unused")
+        /**
+         * Called if header is <code>Proxy-Ssl-Id</code>
+         */
         public void handleSslSessionId(HttpField field)
         {
             _request.setAttribute("javax.servlet.request.ssl_session_id", field.getValue());
+
+            // Is ForwardingRequestCustomizer configured to trigger isSecure and scheme change on this header?
             if (isSslIsSecure())
             {
                 _secure = true;
-                _proto = "https";
+                // track desire for secure scheme, actual protocol will be resolved later.
+                _secureScheme = true;
             }
         }