SpringBoot Provide properties 'server.tomcat.scheme' and 'server.tomcat.secure' in application.properties for TLS/SSL offloading

When TLS/SSL is offloaded at an hardward loadbalancer or and HTTP reverse-proxy server, Tomcat does not have any clue about this. If a web-application uses the API call HttpServletRequest.getRequestURL()(https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/HttpServletRequest.html#getRequestURL--), it will get http://HOST_HEADER.... This causes troubles, e.g. with Spring Security SAML extension / OpenSAML as the URL is checked against SAML meta data where the Assertion Consumer Service URL is configured starting with scheme https.

In a standalone Tomcat deployment, this is fixed by configuring the Tomcat HTTP connector accordingly. Therefor the Tomcat HTTP connector allows so set properties scheme and secure (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Common_Attributes).

Using server.use-forward-headers=true and setting HTTP request header X-Forwarded-Proto=https at the LB / HTTP RP does not help in case of Spring Security SAML extension. The only chance to make this work is to implement a custom org.springframework.boot.web.server.WebServerFactoryCustomizer

Comment From: larsgrefer

Have you tried setting server.tomcat.protocol-header to X-Forwarded-Proto?

Comment From: larsgrefer

You might also need to set server.tomcat.internal-proxies

If you want to debug what's happening set a breakpoint in org.apache.catalina.valves.RemoteIpValve#invoke

Comment From: wilkinsona

@bthalmayr I am not sure that setting the scheme and secure properties on the connector is the best solution here. Can you please provide a minimal sample that reproduces the problem?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: bthalmayr

I'm sorry for the delay. I'll try to provide some tests as soon as possible.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

Comment From: jalmasi

Workaround:

public class EmbeddedTomcatCustomizer implements WebServerFactoryCustomizer<TomcatServletWebServerFactory> {
...
   @Override
  public void customize(TomcatServletWebServerFactory factory) {
  ...if custom property is set...
       factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
          @Override
          public void customize(Connector connector) {
            connector.setScheme("https");
            connector.setSecure(true);
          }
        });
...

(I just found out that swagger ui redirects to http, so all api calls fail, boot 2.7.18)